Linux Container
- It has its own Filesystem: Chroot
- Restricted Visibility is achieved through Namespaces (Cgroup, IPC, Network, Mount, PID, Users, UTS)
- PID Namespace: Isolate the process ID number space
- Resource Limitation is done via Cgroups
- Previously used for server hosting
- Security is enforced via Seccomp, Apparmor, and SELinux
- Seccomp: Restricting Syscalls