Go beyond the surface: "Containers share the host kernel and use namespaces for isolation. This means no boot sequence, no guest OS memory overhead, and millisecond startup. The trade-off is weaker isolation than VMs — a kernel exploit escapes all containers."
VMs virtualise the hardware layer — each VM runs a full guest OS on a hypervisor. Containers virtualise the OS layer — they share the host kernel and isolate processes using namespaces and cgroups. Containers are more efficient because they skip the guest OS overhead: faster startup (milliseconds vs minutes), lower memory footprint (MBs vs GBs), and higher density (hundreds of containers vs tens of VMs on the same host). Trade-offs: containers share a kernel, so a kernel vulnerability affects all containers. VMs provide stronger isolation. Strong candidates mention: OCI runtime spec, the role of namespaces (pid, net, mnt, uts, ipc, user) and cgroups (resource limits), and that containers are not lightweight VMs — they are isolated processes.
Fundamental containerisation knowledge. Candidates who say containers are lightweight VMs have a mental model that will cause security and architecture mistakes. Those who mention namespaces and cgroups understand what Docker actually does.