Docker Isn't a VM. Here's What It Actually Is.
Docker containers are not virtual machines. See how namespaces, cgroups, and union filesystems create isolated Linux processes.
Everyone says Docker is a lightweight virtual machine. Every tutorial draws the same diagram — hypervisor and guest OS on one side, kernel and containers on the other. That diagram is fine. But it hides something fundamental. A container doesn't create a fake computer. It doesn't boot an operating system. There is no guest kernel. A container is just a process.
What a VM Actually Does
A virtual machine creates a fake computer. Virtual CPU, virtual RAM, virtual disk, virtual network card. The hypervisor manages this illusion, giving each VM its own isolated hardware. The guest OS boots up, loads drivers, runs its init system — a complete operating system inside another operating system.
The cost? A typical Linux VM image is hundreds of megabytes. The app running inside it might be fifteen. You're shipping an entire house just to run one appliance.
The Two Kernel Tricks
A container is a regular Linux process running on the host kernel. But the kernel plays a trick — it gives that process a restricted view of the world using two features:
Namespaces control what the process can see:
| Namespace | What It Isolates |
|---|---|
| PID | Process tree — container thinks it's PID 1 |
| Network | IP addresses and ports — two containers can both bind port 80 |
| Mount | Filesystem — container sees entirely different files than the host |
Cgroups control what the process can use. The kernel sets hard limits — two gigs of memory, half a CPU core. Exceed memory, and the kernel kills your process. Exceed CPU, and you get throttled.
That's it. A container is a process with blinders on. Namespaces restrict what it sees. Cgroups restrict what it uses.
The Layer System
Each instruction in a Dockerfile creates a read-only layer. Install Python — that's a layer. Copy your app code — another layer. These layers are stackable and shared.
Spin up fifty containers from the same base image. A VM approach costs fifty copies of that image. With containers, all fifty share the same read-only layers. Each container just gets its own thin writable layer on top.
When a container modifies a file, it copies just that file to its writable layer. Everything else stays shared. This is copy-on-write — and it's why containers are so storage-efficient.
The Tradeoff
| VM | Container | |
|---|---|---|
| Startup | Tens of seconds (boots full OS) | Under a second (starts a process) |
| Density | 10-20 per server | Hundreds per server |
| Isolation | Own kernel per VM | Shared kernel |
| Security | Stronger boundary | Shared kernel = shared risk |
Every container shares the same kernel. A kernel vulnerability exposes every container on the host. That's why production environments commonly run containers *inside* VMs — you get VM-level isolation with container-level density.
A container isn't a lightweight VM. It's something simpler — a process, with the kernel playing tricks on what it can see and what it can use.
Watch the full animated breakdown: Docker Containers are NOT Lightweight VMs