Isolation in Containers
This is achieved by using namespaces.
Even though Docker gives a feeling that applications are running on its individual machine, it's not true.
It's just another isolated environment to execute a process since the docker image doesn't have the kernel packaged into it.
clone() Method
Similar to fork() method of Linux, containers use the clone() method to start the process. The application process mentioned in the Dockerfile is started using this method.
This method provides an option to specific which namespaces are required to be created for this new process.
When we say --network=host to the docker command, it will simply avoid creating network namespace.
kernel dependency
Since the containers doesn't have a kernel packaged inside, it can work only with a host that has a kernel for which the container is prepared for.
Even though it has it's own rootfs, all the system calls generated by the binaries in rootfs are handled by the host kernel.