### What is a container? There is really no "thing" called a container. Containers are simply three features of Linux "duct-taped" together: `chroot` (change root), namespaces, and `cgroup` control groups, to separate a group of processes from each other. #### chroot `chroot` (change root) is a Linux command that allows you to set the root directory of a new process. In the container use case, we set the root directory to be wherever the new container's new root directory should be. Now the new container group of processes can't see files outside of this directory, minimizing problems with security because the new process has no visibility outside of its new root (this is sometimes called "Linux jail" or a "jailed" process). #### namespaces Namespaces allow you to hide processes from other processes. If we give each chroot'd environment different sets of namespaces the different environments won't be able to see each others' processes (they even get different process PIDs, or process IDs, so they can't guess what the others have). #### cgroups `cgroups` allow you to move processes and their children into groups which then allow you to limit various physical aspects of them (memory, cpu, etc.)