* Containers enable companies to package up and isolate applications with all the nessesary files for each to run. This makes it easy to move containerized apps
  to different environments while retaining their full functionality. Containers are nothing more than Linux processes with a restricted view of the machine
  they're running on. With containers a single kernel runs multiple seperate, walled-off userlands (ring 3 stuff). There's no emulation, no seperate memory
  spaces, or virtual disks. A single kernel just juggles multiple processes in one memory space, as it was designed to do. To the kernel their just ordinary
  programs.. This is all good, however there's only one kernel so you can only run Linux containers on Linux, and if an app in a container needs an OS update,
  then everyone gets it, as there's only one OS to perfrom that update (and the whole machine must be rebooted). 
* You can write a barebones container with just a few lines of Go..
* Lxd offers most of the functionality of Xen or KVM-style Linux-on-Linux virtualization but with greater efficiency. 
* Lxds share nothing but the kernel so they can contain different LINUX distros than that of the host; with the caveat that those distros must work with kernel
  of the host's version of Ubuntu.. It uses btrfs or zfs to provide snapshotting and copy-on-write. Block devices on the host such as disk drives,
  network connections, almost anything can be dedicated to particular containers. You can limit the alotted resources and even dynamically change as needed
  (i.e. CPU cores. RAM, etc). You can also pin containers to partiulcar cores... 
* Software Containers differ from sandboxes in that they assume everything within it is considered dangerous. Many containers today are built around an app and
  isolate attacks from spreading to other parts of the OS. There are also container-based configurations such as chroot jails.. 
* The host's /proc holds information about all the containerized processes. This includes environment variables, which are also stored in the /proc pseudo-filesystem,
  meaning that your host machine has access to the environment for all your running containers. This potentially has security consequences if you're passing
  secrets like certificates or database passwords into your containers through environment variables. Also containers have no mechanism for detecing the need
  for updates, or for automatically updating, and can, therefore, be a source of vulnerabilties in themselves. But universial packages (such as Flatpak or Snap) can
  can add another level of security by installing in containers that isolate them from the rest of the system..
* Containers are more efficent than whole-system virtualization and is why companies are adopting them. The cost of this new approach is that admins need to
  learn new security and management skills and tools. 
* Some serious threats of containers can include DDOS at the application level, and use of insecure apps to flood the network and affect other
  containers 
* "LXD is a pure container system that looks as much as possible like a full hyperviser, without actually being one"
* Containers by themselves are not secure and is why namespaces should also be used