Linux containers are containers, not VMs. They are more like docker (although, lxd/lxc typically are used more like jails/VMs - a "full" user land, rather than just an application binary, like with a docker container wrapping a service implemented in go).

Technically, docker/lxc uses kernel namespaces to isolate a process tree - firecracker starts up a virtual machine.

When a VM context switch happens, the CPU uses extensions like Intel VMX to isolate the virtual machine code from the host code. Usually the hypervisor also forces a cache flush to mitigate CPU vulnerabilities as well.

VMs vs containers. One uses KVM under the hood the other uses cgroups. Btw. you can run Firecracker VMs with container isolation on the top.

https://github.com/firecracker-microvm/firecracker/blob/mast...