Container = Namespaces + CGroups + Layered Filesystem Namespaces A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace but are invisible to other processes. Namespaces limit how much you can see and therefore use: 1. PID 2. Network 3. UTS 4. Mount 5. IPC 6. User CGroups (Control Groups) Control groups are a Linux kernel feature which allows processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored. CGroups limit how much you can use: 1. CPU 2. Memory Layered Filesystem Different files and directory structures are layered in order and on top of each other to be reflected as one directory tree. Layered Filesystem allows reuse and push/pull deltas. It's an advanced multilayered...