...
The process isolation (which uses Linux namespaces, cgroups and other kernel features like capabilities happens within a libcontainer component called “runC”. Once a container gets instantiated, there is another runC instance.
Container images - layered deployable snapshots
Container images are layered deployable snapshots. They are self-contained portable environments which can instantiate a (Micro-)service. Subsequent versions of the same container images are stored as a differential overlay.
...
Overlay file systems - differential snapshots
Starting from a base image, overlay file systems allow maintaining a lower storage footprint because for the following container image versions it defines the differential. This is allocated onto the disk against the layered base image.
...
cgroups - resource quotas
cgroups is a Linux kernel feature for resource compartmentalization.
...