Virtual machines work by packaging the application and the operating system. This makes the packages (referred to generally as images) pretty fat. It also is pretty inefficient since there are multiple operating systems running on top of the actual "host" OS.

Containers enable isolation at an OS level, using constructs such as the following:

• Quota allocation and the enforcement of resources, for example, CPU, memory, block I/O, and network
• Namespace isolation functionality that provides each container with an isolated view of the operating environment, including filesystem, process trees, user IDs, and so on

This isolation mechanism is much more efficient than the guest operating system concept in virtual machines. This enables the deployment of a lot of containers onto a single computer.

Containers initially lacked a standard packaging system. Docker solved this problem by providing a standard for packaging, a runtime (daemon), and tools (client) for packaging, managing and distributing containerized applications. The packaging format is called an image. It essentially is a template listing instructions for creating a container. Very often images are derived from another image and list specific customization from the base image.

For example, one can have an image that is based on a CentOS and installs Nginx and the application. Docker also has the concept of a registry, which is a repository of Docker images. Docker Hub and Docker Cloud are public registries that anyone can use, but one can also run their own private registry for images within an organization, as shown in the following diagram:

While containers are cool, managing them at scale requires specialized solutions. There are many options for orchestrating containers. Kubernetes, Mesos, and Docker Swarm are some of the popular solutions.