A container is a single packaged process that runs in isolation from the rest of the machine, with its own files, libraries and process space, while sharing the host's kernel. It is the running unit a tool like Docker starts from an image, lighter than a virtual machine because it does not boot its own operating system.
At a glance
What it is
One isolated, packaged process, running from an image
What it shares
The host kernel, so it is far lighter than a virtual machine
What it keeps separate
Its own files, libraries, network view and processes
Lifespan
Disposable; data you keep must live in a volume, not the container
Comparison
Container versus virtual machine
Virtual machine
Container
Operating system
Boots its own full OS
Shares the host kernel
Weight
Heavy, gigabytes, slow to start
Light, starts in seconds
Isolation
Strong, hardware-level boundary
Process-level, shares the kernel
What makes a container different from a virtual machine?
A container is a single process, or a small group of them, fenced off from the
rest of the machine: it sees its own files, its own libraries, its own network,
and cannot trip over another service’s. What it does not have is its own
operating system. A virtual machine boots a whole kernel and pretends to be a
separate computer, which is heavy. A container borrows the host’s kernel and only
packages the layer above it, which is why it starts in seconds and costs a
fraction of the memory.
That trade is the whole point. You give up the hard hardware-level boundary a
virtual machine draws, and in return you get something cheap enough to run dozens
of, rebuild on a whim, and ship identically from one host to the next.
How should you treat a container?
As disposable. The container holds a running service, not your data. Anything you
need to survive a restart, a database, uploads, logs you care about, has to live
in a volume mounted from the host; otherwise it disappears the moment the
container is removed. This sounds like a hazard and is actually the discipline
that keeps a stack clean: the running part is replaceable, the data is the part
you protect, and the two never get confused. Docker is the usual tool that starts
and stops these containers, but the container is the unit that does the work.
Check it yourself
docker ps -a
Each row is a container: its image, its status, and whether it is running or stopped. The kernel they share is your host's.
A container is
An isolated copy of one service, started from an image
Light, because it shares the host kernel instead of booting its own
Disposable, meant to be rebuilt rather than repaired in place
Bounded, kept from clashing with other services on the same host
A container is not
A virtual machine; it has no kernel of its own
A safe place for data, unless that data sits in a mounted volume
Stronger isolation than the kernel it shares can provide
Self-starting after a reboot without a supervisor to bring it up