[WatchDog]

Do these containers share a common kernel? Or are they each ran in a separate VM?

Edit: It's a VM per container. https://github.com/apple/container/blob/main/docs/technical-...

[leshenka]

Isn't it wasteful? I know it's a "tiny" vm but still is a vm

[pjmlp]

See Kata containers.

https://katacontainers.io/

For ultimate security, containers alone aren't enough.

Windows is also having a similar feature on top of WSL, announced at BUILD.

https://github.com/microsoft/mxc

[Melatonic]

Isnt this a micro VM and not a container? Confused

[pjmlp]

A micro VM than encapsulates a single container inside, two levels of protection.