System Design Space
Knowledge graphSettings

Updated: June 23, 2026 at 6:05 AM

Containerization

medium

How containers share the host kernel, how images and resource limits work, and where containers differ from VMs.

This chapter matters because it removes the main myth: a container is not a 'lightweight VM,' but a way to isolate and ship a process on top of a shared kernel.

In real engineering work, it helps you understand how namespaces, cgroups, the layered filesystem, and the application image become repeatable deployment and more predictable service behavior.

In interviews and design reviews, it gives you a mature way to explain where containers truly simplify a platform and where they simply add another layer of operational complexity.

Practical value of this chapter

Container primitives

Builds understanding of namespaces and cgroups as the basis for isolation and resource control.

Deploy consistency

Reduces environment drift between local development and live environments.

Operational limits

Keeps container-model limitations explicit: state handling, networking, observability, and security.

Interview readiness

Supports mature discussion of where containers simplify architecture and where they add complexity.

Source

Containerization

Definition of containerization and key principles.

Перейти на сайт

What containerization is

Containerization matters not because it “replaces VMs,” but because it turns process execution into a repeatable platform unit. It speeds up delivery, while still leaving you with the cost of a shared kernel, networking layers, and resource limits.

Modern containerization combines namespaces and cgroups so that a process still runs on the host kernel, but receives its own boundaries for networking, files, and resources.

On top of that sit container runtimes, which launch a process from a container image downloaded from a container registry. The packaging model relies on a layered filesystem and copy-on-write behavior, so layers are reused and new containers start quickly. At the same time, the container runtime does not replace the application runtime itself.

A container also does not erase the boundary between user space and kernel space. That is why memory limits, OOM behavior, rootless mode, OCI compatibility, CRI integration, latency, SLA expectations, multi-tenant pressure, noisy neighbors, and orchestration all influence where containers truly simplify a platform and where they add another layer of operational responsibility.

Core containerization mechanisms

  • Namespaces give a process its own view of the network, files, users, and other processes — that view is the isolation boundary.
  • Cgroups allocate and cap CPU, memory, I/O, and process count; without them one container eats the whole node.
  • A layered file system assembles an image from reusable layers, so rebuilds and startup stay cheap.
  • The container runtime creates the container, starts the process, and carries its lifecycle through to exit.
  • A container registry moves an application between environments as the exact same artifact, with no manual rebuild at each step.
Linux host system
Physical resources
CPURAMDiskNetwork card
Container runtime

The container runtime sets up namespaces and cgroups, starts processes, and enforces resource limits.

Containers on the host

Isolation through namespaces and cgroups

Container A

  • Nginx
  • Application
CPU: 2 coresRAM: 512 MBI/O: limited

Container B

  • Worker
  • Queue
CPU: 1 coreRAM: 256 MBI/O: limited

Container C

  • Database
  • Backup
CPU: 2 coresRAM: 1 GBI/O: priority
Layered file system (overlay)
Base imageRuntime layerApplication layerWritable layer
Cgroups and limits

They control CPU, memory, and I/O per container so one process cannot consume all host resources.

Shared host kernel

All containers share the host kernel, so containerization is usually lighter and faster than VMs, but it still needs a compatible kernel.

Layered file systems for containers

A container image is built from reusable layers, and the running container adds its own writable layer on top.

  • Base layer: a minimal OS image or base runtime.
  • Intermediate layers: dependencies, libraries, and configuration.
  • Top layer: application code and its artifacts.
  • Writable layer: changes that exist only for one concrete container.

Layered file system model

Each container has its own writable layer, while read-only image layers are reused.

Container writable layers

Container A: changes, temp files, logs

RW

Container B: changes, temp files, logs

RW
Shared image layers

Application layer

RO

Application code and static artifacts.

Dependencies layer

RO

Libraries, runtime, and system packages.

Base image layer

RO

Minimal OS image or base runtime.

Copy-on-write

On write, only the writable layer of that container changes. Base image layers remain untouched.

Layer cache

Lower layers are commonly cached across builds, so changes in upper layers build and deploy faster.

Cgroups and resource limits

  • CPU limits: quotas and weights decide who gets the processor when the node is saturated.
  • Memory limits: a hard cap and the fact that the system kills a process on OOM instead of smearing degradation across every neighbor.
  • I/O limits: without priorities, one container easily starves the disk for the rest.
  • PID limits: protection against uncontrolled process growth — otherwise a single fork leak takes the whole node down.

Containers and virtual machines

Related chapter

Virtualization: hypervisors and VMs

Hypervisors, virtualization types, and the scenarios where VMs fit better than containers.

Open chapter

Containers

  • They share the host kernel, so they start quickly and keep high packing density.
  • Overhead is minimal, but the price is that shared kernel: compatibility and isolation both rest on it.
  • Neighbors share the same kernel, so a compromise or a kernel panic hits all of them at once.

Virtual machines

  • Each VM has its own guest OS, so the boundary between workloads runs through the hypervisor, not the kernel.
  • Isolation is stronger, but you pay for it in memory, startup time, and per-instance overhead.
  • Choosing a VM is justified where you need different operating systems or strict security boundaries.

Container evolution timeline

2008

LXC in Linux

LXC combines namespaces and cgroups into a practical format, making Linux containerization broadly usable.

2013

Docker mainstreams containers

Docker makes containers easier to build and ship through image layers, Dockerfile, registries, and a repeatable workflow for developers and platform teams.

2015

OCI standardizes formats

Open Container Initiative defines image and runtime specifications so the ecosystem is not locked to one vendor.

2016

CRI appears in Kubernetes

Kubernetes introduces the Container Runtime Interface, separating orchestration from a specific container runtime.

2017–2022

containerd/CRI-O and dockershim removal

Container runtimes mature, Kubernetes shifts to direct CRI integration, and dockershim leaves the default path.

2023+

Era of secure and specialized runtimes

For multi-tenant and security-sensitive workloads, interest grows in gVisor, Kata Containers, and microVM-style isolation.

How virtualization type affects container workloads

Full virtualization

  • Best at: Maximum guest OS compatibility.
  • Container impact: More I/O and CPU overhead for container nodes inside VMs.
  • Typical scenario: Compatibility-driven and mixed-OS environments.

Paravirtualization

  • Best at: Optimized network and disk drivers.
  • Container impact: A better balance of latency and throughput for container workloads in VMs.
  • Typical scenario: Cloud VMs using paravirtualized drivers (virtio, VMXNET3, PVSCSI).

Hardware-accelerated

  • Best at: Default model for live clusters.
  • Container impact: Best balance of isolation and performance for Kubernetes/containers.
  • Typical scenario: Mainstream approach in public cloud and enterprise data centers.

Which solutions teams use today

Runtimes and low-level layer

  • containerd and CRI-O are the primary Kubernetes runtimes via CRI.
  • runc and crun are common OCI container executors.
  • gVisor and Kata Containers provide stronger isolation for shared environments.

Developer and local environments

  • Docker Desktop is the most common local stack.
  • Podman Desktop supports daemonless and rootless workflows.
  • Colima and OrbStack (macOS) are alternatives for local Linux VMs and containers.

Orchestration and platform layer

  • Kubernetes is the industry-standard container orchestrator.
  • Nomad and Docker Swarm remain lighter alternatives for specific scenarios.
  • Managed Kubernetes in AWS, GCP, and Azure underpins many live platforms.

How a request reaches Nginx inside a container

In the container model there is no separate hypervisor between the application and the host kernel, but the request still crosses a bridge, NAT rules, namespaces, and resource boundaries. The path is shorter than in a VM, not magically simple.

How a request reaches Nginx inside a container

Request path: internet → host → container runtime → container

External edge

Layer 1
ClientInternet

Linux host

Layer 2
Network cardKernel network stack

Container runtime

Layer 3
Bridge/NATNamespaces

Container

Layer 4
NginxApplication

Service

Layer 5
HTTP handlerBusiness logic
Request path

Active step

Click "Start" to walk through the request path.

Why this matters for systems design

  • The same image travels from local development to test and live, which kills the “worked on my machine” drift and speeds up delivery.
  • Without understanding cgroups, limits get set by guesswork, and the noisy-neighbor effect only surfaces under load in production.
  • The container network model determines latency, what shows up in traces, and which security rules you can even apply.
  • In most modern platforms the container is the unit of deployment and scaling, so resource and boundary decisions are made at its level.

Practical takeaway

  • A container does not replace operating-system knowledge; it simply makes process packaging and execution more repeatable.
  • When delivery speed and a single way to package a service come first, containers give the cheapest win.
  • But when you need maximum isolation, a different OS, or strict security boundaries, VMs or hardened runtimes are the wiser bet.

Related chapters

Enable tracking in Settings