When looking at a single computer (that is, either a virtual machine or a regular bare metal machine), there are certain things that you think of as “global”, shared across all the whole thing. From a networking standpoint, 192.168.1.5 refers to the IP address on a specific network card which all services can use, only one program can listen to TCP port 80, and no matter what program asks for it “C:hello.txt” refers to the same file on the same hard drive/partition.

Containers use features in Linux to say No to all of the above. There isn’t a single TCP/IP stack but programs can make new ones somewhat freely, in which it is possible for a new program to listen to TCP port 80 because it’s not the same network stack as the original one. Filesystems and disks can be unmounted and moved around because there aren’t programs relying on them because the new disk layout is separate from the original. PIDs are re-numbered starting from 1 again under a different umbrella of processes. And a bunch of other things.

Normally these features are all separate – network, disk, host identification, PIDs, inter-process communication. Chrome uses them for parts of its sandboxing. But if you hit all them at once, you could create something that looks very much like a virtual machine to the untrained user, with their own private files, only their own running programs listed, and able to run any network service without colliding with another user.

Doing this we commonly call a container. It’s a lightweight virtual machine that’s a bit restricted – you can’t load custom drivers because it’s still the same kernel as the host and all other containers, but whatever app you want to install on Linux will largely just work within it.

There are 2 major classifications of a container: operating system containers, and app containers. An operating system will boot mostly normally for a Linux host and have a login screen somewhere even if you need some tool to reach it. Whereas an app container isolates a single application/service within the container leaving little else installed. In the latter example the container software would be required to set up the network settings in the container because there’s nothing installed within it to do so, or even the real system network would be retained and the contained app just uses that instead.

Which leaves us with Kubernetes, which is broadly speaking a management engine for containers in much the same way VMWare ESI is a management engine for virtual machines across clusters of hosts. When you need another container started, it will take care of it. Things like saying, “Oh, the web server is busy, start another copy on one of our container hosts automatically”.