[Guvante]

It looks like they may be putting the container in a Hyper-V VM while allowing it callbacks to the underlying OS.

Done correctly this allows the hardware level protections to apply to the code running in the container, assuming the penalty of your OS calls routing through the VM-bridge doesn't kill your performance.

[CoreySanders]

This is pretty close, but there is not actually a VM in the Hyper-V Container. The key thing is, these containers will take advantage of Hyper-V enforced isolation and virtualization but without requiring the full VM. So, while it has this increased isolation, it is still a container, with what you would expect from a container, including better density, faster start-up times, and portability. And will have Docker platform support to make it more flexible across environments.

Hope that helps?

[fanf2]

Sounds like Mirage OS / exokernels / unikernels, where the app is compiled to run directly on the VM talking to paravirtualized APIs.

[walterbell]

Is there an architecture diagram that shows the boundary between VMM, OS, container and storage layers?