The Misconception
Many developers treat containers as lightweight VMs. They are not. A VM virtualizes hardware and runs a full operating system. A container shares the host kernel and uses namespace isolation.
What Containers Actually Are
Containers are regular Linux processes with three extra features: namespaces for isolation, cgroups for resource limits, and a layered filesystem for image management. That is it.
Why This Matters
Understanding that containers are processes changes how you think about security. A container escape is a privilege escalation, not a VM breakout. The attack surface is the Linux kernel, not a hypervisor.
Practical Implications
- Do not run containers as root unless absolutely necessary
- Use read-only filesystems where possible
- Drop capabilities your container does not need
- Keep your host kernel updated
- Consider gVisor or Kata Containers for stronger isolation