[AnsemWise]

Containers are an abstraction that exist using cgroups and namespaces for isolation. They use the hosts' kernel, it's not virtualized. Containers are only limited by the capabilities of namespaces and cgroups, unlike vms.

You might be dismissing microservices too quickly. They do have overhead but so does any level of abstract; the benefit of them though is clear separation of responsibilities between services and residency(Swarms, clusters, etc). Both can be achieved with Vms but VMs weren't built with these goals in mind

[raulk]

Using VMs to isolate single processes is like owning multiple toasters, and buying a different house to plug each toaster in.

[angry_octet]

Nah, that is separate physical machines. For VMs it's more like a multitenant toaster colo, with every toaster in its own asbestos cage, but sharing power and network^Wbread. For containers, it's like putting them all in one house but putting a fuse and RCD on every toaster. A traditional server is building a custom house each time and the toasters are all plugged into the same socket.

I'm not sure the toaster analogy will gain mass acceptance.

[derefr]

What if you're hosting toasters owned by people who might be rude teenagers who want to set any house with a rival toaster in it on fire?

When Docker can safely protect a Minecraft server in one container from a local DoS attack coming from a bot running in a sibling container, I'll reconsider using VMs. :P

[AnsemWise]

Resiliency