What is chroot?
chroot is a Linux syscall that changes the root directory of a process. It is widely believed that containers are implemented using chroot. This is wrong, but it does make sense. If you run ls inside a container, you only see files from that container. chroot is more than capable of making that happen.
I too used to think that containers use chroot. But now I know better.
What does the source code say?
If containers were implemented with chroot, you'd expect container runtimes to call chroot in their source code.
So I searched runc's code for chroot. Hmm, it does appear there after all. But a closer look reveals that chroot isn't usually called! The highlighted code runs instead. What is in that highlighted code? A mysterious function called pivotRoot.
pivot_root vs chroot
pivotRoot is a wrapper for the Linux syscall pivot_root. What is pivot_root then? Basically, chroot++.
But what's wrong with chroot? For starters, it's trivial for a rogue processes to undo a chroot. It just needs to call chroot again and reverse the first call. Whoops. Isolation broken.
With pivot_root you can jail a set of processes inside a directory properly. And that's a must for containers.