Container#
The product (one of many) of OS-level virtualization.
The dockerfile can contain both instructions for the image and the manifest!
Container Image:
Layered image of a filesystem. Single layers can be replaced.
Manifest:
Declaring resource access and what to run.
Isolation Mechanism: Isolates the container process from the rest of the OS with Namespaces and Control Groups.
Analogy: Shared Lab Space
Namespaces: Each researcher sees only their own bench and experiments
Cgroups: Each gets allocated compute hours, storage quota, equipment time