Isolation

Docker containers run in isolation from each other. Docker achieves this through a feature of the linux kernel called namespaces.

Start a docker container using the command docker container run -it alpine sh and list the processes within the container with the command ps -ef. This will show only the processes that run in the context of the container and not the processes of the host os.

Starting a second container with the same docker container run -it alpine sh command and then starting a long running process with tail -f /dev/null will allow you to see that you can see the outputs of this command using ps -ef in the container in which you ran it and not in your original container. This shows that containers run in isolation from the host os and from each other.

This isolation extends to the network. Running ip addr will show you that the containers have different ip addresses as well.

Their file systems also run in isolation. Running df -h will allow you to see that both containers have mount points but if you touch a file in one container using touch /foo and running ls -l /foo it will not appear in the other container.