Containers are based on shared operating systems. This makes them very lightweight and efficient because they don't have to virtualize any hardware, instead they rest on top of a single Linux instance.
LXD, a hypervisor that is focused entirely on containers is being developed by Ubuntu. This new hypervisor will provide an added layer of security that is needed for containers. But what's more is that this won't simply be a security approach. Work is being done to make hardware that will provide isolation of the containers at the chip level.
In addition to security benefits provided by a hypervisors the fact that only certain parts of certain libraries of an OS are used mean that only the essential components can be targeted not the cruft that comes with a full-fledged OS.
Between the hypervisor's management domain and an unprivileged domain unavoidable functionality such as encryption, filtering or tunneling can be implemented. The added latency is almost unnoticeable.
Unikernels are built to run only the necessary processes with only the necessary parts of necessary libraries in order to vastly increase performance. They reduce the memory footprint, the need for disk space and computational burden.
Depending on the host hypervisor may take up anywhere from 3% of the hosts memory and cpu resources up to 35%.
Low density, performance, scalability. While some issues are mitigated with new hardware features such as VT-D, the overhead is considerable.
In certain specialized cases many of these issues can be sidestepped via the use of unikernels. Unikernels are specialized, lightweight operating systems for hypervisors. They are built to run only the necessary processes with only the necessary parts of necessary libraries in order to vastly increase performance. They reduce the memory footprint, the need for disk space and computational burden. Additionally they further reduce the attack surface.
Two to six times more virtual environments can be created via containers as compared to hypervisors for the same hardware cost since containers don't need to emulate hardware and repeating OS elements for each guest OS.
Since containers are run using shared resources, if any container is compromised, the host is compromised as well.
Many of the security concerns can be alleviated by running containers within hypervisors.