How do containers differ from virtual machines at the OS level?

VMs virtualize hardware - each guest has full OS, hypervisor manages resources. Containers share host kernel, only virtualizing user space. Linux containers use: namespaces (isolate PID, network, mount, user), cgroups (limit CPU, memory, I/O), seccomp (syscall filtering), capabilities (fine-grained privileges). Containers are lighter (MB vs GB), start faster (ms vs s), but weaker isolation (shared kernel attack surface). Windows containers can use Hyper-V isolation for stronger boundaries.