Ah, Docker. I've studied and played with it a bit on the edges, while I've mainly focused on general containers and Kubernetes. But to really understand, I have to dig a bit deeper into the whole Docker side a bit more. On the surface, Docker containers are simple to understand -- they work very similar to a virtual machine, but more lightweight. While a VM gives you fairly decent isolation, one of the key benefits of a container is less isolation, which means both less overhead and less memory used. Containers use the host machine's kernel and resources, relying on some mechanisms such as cgroups (or control groups) to control what a paticular container can do. Along with file restrictions based on mounts and chroot and visibility resrictions based on namespaces, containers can be restricted to a small subset of what the host might have available. When we "boot" a container, it simulates running a linux operating system, and often uses a lightweight "distro" tuned for containers. As these containers are focused on running a single process or program, we can often shed much of the conventional bits that make up a modern OS, and harden a bit more fully then an ordinary machine. Now, file systems for me are a bit fuzzy. I do know that container "images" are built up of layers, and that each layer can have it's own config. I also know that a container's writeable layer is an overlay, and only changes are kept in this layer. I'mnot sure how all of this works under the covers though, or exactly the process of creating a new image or hauling out an existing one. Okay, so it seems I actually do know a bit, but there are some gaps to fill in, and some more writing to be done.