Virtualization is a technique that allows multiple instances typically running different guest operating systems on top of single physical hardware. A hypervisor, a layer of software running on top of the host operating system, typically runs and manages these different guest operating systems. Rather than to run different services on different servers for reliability and security reasons, companies started to employ virtualization over their servers to run these services within a single server. This approach proves beneficial to the companies as it provides much better reliability, stronger isolation, improved security and resource utilization compared to running services on multiple servers. Although hypervisor based virtualization offers better resource utilization and stronger isolation, it also suffers from high overhead as the host operating system has to maintain different guest operating systems. To tackle this issue, another form of virtualization known as Operating System-level virtualization has emerged. This virtualization provides light-weight, minimal and efficient virtualization, as the different instances are run on top of the same host operating system, sharing the resources of the host operating system. But due to instances sharing the same host operating system affects the isolation of the instances. In this paper, we will first establish the basic concepts of virtualization and point out the differences between the hyper-visor based virtualization and operating system-level virtualization. Next, we will discuss the container creation life-cycle which helps in forming a container threat model for the container systems, which allows to map different potential attack vectors within these systems. Finally, we will discuss a case study, which further looks at isolation provided by the containers.

翻译：虚拟化是一种允许在单个物理硬件上运行多个通常运行不同客户操作系统实例的技术。管理程序作为运行在主机操作系统之上的一层软件，通常负责运行和管理这些不同的客户操作系统。出于可靠性和安全性的考虑，企业不再将不同服务运行于不同的服务器上，而是开始在其服务器上采用虚拟化技术，以便在单台服务器内运行这些服务。与在多台服务器上运行服务相比，这种方法被证明对企业有益，因为它提供了更好的可靠性、更强的隔离性、更高的安全性和资源利用率。尽管基于管理程序的虚拟化提供了更好的资源利用率和更强的隔离性，但它也存在高开销的问题，因为主机操作系统必须维护不同的客户操作系统。为了解决这个问题，另一种称为操作系统级虚拟化的虚拟化形式应运而生。这种虚拟化提供了轻量级、最小化和高效的虚拟化，因为不同的实例运行在同一个主机操作系统之上，共享主机操作系统的资源。但由于实例共享同一个主机操作系统，这影响了实例之间的隔离性。在本文中，我们将首先建立虚拟化的基本概念，并指出基于管理程序的虚拟化与操作系统级虚拟化之间的差异。接下来，我们将讨论容器创建的生命周期，这有助于为容器系统构建容器威胁模型，从而能够映射这些系统内不同的潜在攻击向量。最后，我们将讨论一个案例研究，进一步审视容器提供的隔离性。