An application can contain one or more processes, and on Linux, each application thread is executed as a separate process sharing the same memory area. Otherwise, a process can't access memory that the other processes are using; this is an important concept for security and stability. But still, all processes can see and use the same set of resources that the operating system provides.
With hypervisors directly running on the bare metal hardware, at least we got rid of the host operating system and saved some resources. But is there a better way? Can't we get rid of the guest operating systems as well? Let's have a look at containerization:
As you might have noticed, we got rid of the guest operating systems and replaced them with containers. So what's the advantage here?
A container does not run on top of a virtualized hardware stack. In fact, all user applications are run directly on the host operating system. The only difference is that the individual operating system processes (the runtime components making up a user application) are fenced against each other and also against the host operating system. In fact, a user application has the feeling that it is alone on the host operating system since it doesn't see what's going on, on the host operating system, and therefore also doesn't see the contents of other containers.
So how is this achieved? This concept was born on the Linux kernel and is the de facto standard for container-based virtualization. There are two major Linux kernel extensions, which make this possible: cgroups and namespaces.