containers internal

https://debugged.it/blog/under-the-hood-of-docker/ https://github.com/janoszen/demo-container-runtime

SECCOMP - prevent danger syscall
CGROUP -
CHOWN -
CAPABILITIES -
NAMESPACE- provide processes with their own system view