What allows OS containers to provide isolation from each other?

The correct answer is related to how OS containers operate by utilizing a shared kernel among them. Containers are lightweight, as they do not require a full operating system to run each instance like virtual machines do. Instead, they share the same underlying operating system kernel while maintaining their own isolated user space, which includes libraries, dependencies, and configuration files.

This approach enables containers to run processes in isolation from one another, though they all rely on the same kernel. The isolation is achieved through various technologies such as control groups (cgroups) and namespaces. Namespaces ensure that processes within a container cannot see or interact with processes from another container, while cgroups are used to limit and prioritize resource allocation.

The isolation mechanism provided by the shared kernel is a core advantage of containers, making them efficient and fast, as they can share resources without the overhead of full virtualization.