The container-VM hybrid: an OCI runtime placing each container or Kubernetes pod inside a microVM (QEMU / Firecracker / cloud-hypervisor / Dragonball) running a real Linux kernel. Hardware-grade isolation with container UX; substrate for Confidential Containers.
The canonical OS-level virtualization stack: containers as host processes restricted by namespaces, cgroups, seccomp, capabilities, OverlayFS, and netfilter. Full walk from Docker Engine to containerd to runc to kernel features.
Google’s userspace-kernel sandbox: Sentry, a Go reimplementation of the Linux syscall ABI, services guest syscalls intercepted via KVM / ptrace / systrap platforms. Production isolation behind App Engine, Cloud Run, and Cloud Functions.