✦ For everyone, free.

Practical knowledge for real and everyday life

Home

1.3.1.1 OS Virtualization Contrast

A focused guide to OS Virtualization Contrast, connecting core concepts with practical Docker and container operations.

OS virtualization contrast examines how Docker's approach — operating-system-level virtualization — differs from full hardware virtualization, and what that distinction means in practice for isolation, performance, and resource usage.

What OS-Level Virtualization Means

OS-level virtualization isolates multiple workloads using a single shared kernel, by giving each workload its own isolated view of processes, filesystem, network interfaces, and resource limits, through kernel features such as namespaces and control groups (cgroups). Docker uses this mechanism rather than virtualizing hardware itself.

docker run -d --name app1 myapp:1.0
docker run -d --name app2 myapp:1.0

Both containers run on the same host kernel, each with its own isolated process tree, filesystem, and network namespace, despite sharing the same underlying kernel instance.

Namespaces Provide Isolation

Linux namespaces are the primary mechanism behind this isolation: a PID namespace gives a container its own process ID space, a network namespace gives it its own network interfaces, and a mount namespace gives it its own filesystem view, all without duplicating the kernel itself.

docker run --rm myapp ps aux

Run inside a container, this command lists only the container's own processes, even though the host kernel is, in reality, managing many more processes across all running containers.

Cgroups Control Resource Usage

Control groups limit how much CPU, memory, and other resources a container can consume, preventing one container from starving others on the same host, despite all of them sharing the same kernel-level resource pools.

docker run --memory=256m --cpus=0.5 myapp:1.0
Why Sharing a Kernel Has Tradeoffs

Because containers share a single kernel instance, they cannot run a different operating system kernel than the host (a Linux host cannot directly run Windows containers without a separate compatibility layer), and a kernel-level security flaw can, in principle, affect isolation between containers in a way it would not affect separate virtual machines.

Why OS-Level Virtualization Is Efficient

Not duplicating the kernel per workload is precisely what makes containers lightweight: there is no second kernel to boot, schedule, or maintain memory for, which is the core reason containers start faster and use fewer resources than an equivalent number of virtual machines running the same workloads.

docker stats

This command shows real-time resource usage per container, illustrating directly how lightweight each isolated workload is relative to what a comparable virtual machine would consume.

Related content