Hardware level isolation. Or: if you run your docker container as a vm instance; reduced overhead with only the kernel parts you need.
Typical docker is just a glorified chroot under a shared Linux kernel. With namespaces it asymptotically approach a bsd jail.
But the "easy" way to get some real isolation, is to use hw support for virtualization - but now you need a kernel (software that enable programs to talk via a fixed abstraction to hardware; drivers for real and emulated hw).
And you've reinvented 5% of the magic dust that IBM put into mainframes.
Typical docker is just a glorified chroot under a shared Linux kernel. With namespaces it asymptotically approach a bsd jail.
But the "easy" way to get some real isolation, is to use hw support for virtualization - but now you need a kernel (software that enable programs to talk via a fixed abstraction to hardware; drivers for real and emulated hw).
And you've reinvented 5% of the magic dust that IBM put into mainframes.