[amarshall]

> A Docker image is really just a chroot + some cgroups resource limits.

No, because an image specifies nothing about the runtime. Just add a Kernel and bootloader and one can boot most images. Further most container runtimes include a lot more than chroot and resource limits. Namespace isolation (process, user, network), seccomp rules, SELinux contexts, etc.

[otabdeveloper4]

> Just add a Kernel and bootloader and one can boot most images.

Certainly not true of any of the images I work with.

[amarshall]

What sort of images are you working with? I can fairly straightforwardly boot debian:stable with no modifications to the image using direct kernel boot. Is everything perfect? No, but it does boot.

[otabdeveloper4]

None of my images bundle a Linux distribution.

(Indeed, most don't even bundle bash or coreutils.)

[amarshall]

Sure, but that still doesn’t necessarily mean it won’t work. I can successfully direct kernel boot a VM where the entire filesystem is just a single statically-linked binary and it boots and runs it (just set init= or put the binary at /sbin/init). Some programs might need /proc /sys /tmp, etc., and if they do a bit more work needs to be done of course, but not all do.