• A container is a package format and a content addressable bundle of content addressable layers!
  • namespaces and cgroups are two key features of Linux kernel enabling containerization.
  • Containers running on a host share a single Linux kernel! (a singler scheduler, a single memory manager, and so on)
  • The Linux kernel has so many known and unknown bugs!
  • Sandboxes are a way of getting an extra layer of isolation for containers.
  • gVisor is an OCI container runtime implementing Linux kernel API in userspace using Go.
  • gVisor is a sandbox for containers and does not let them talk directly to the kernel.
  • As a result, gVisor comes with a bit of performance cost.