TL;DR
- A container is a package format and a content addressable bundle of content addressable layers!
- namespaces and cgroups are two key features of Linux kernel enabling containerization.
- Containers running on a host share a single Linux kernel! (a singler scheduler, a single memory manager, and so on)
- The Linux kernel has so many known and unknown bugs!
- Sandboxes are a way of getting an extra layer of isolation for containers.
- gVisor is an OCI container runtime implementing Linux kernel API in userspace using Go.
- gVisor is a sandbox for containers and does not let them talk directly to the kernel.
- As a result, gVisor comes with a bit of performance cost.