alt Hacker NewsContainers in Linux are more a conceptual collection of different isolation techniques. Mostly just based on Linux namespaces. But things like cgroups, Linux capabilities, occasionally MAC (selinux, etc) and a few other items often get thrown in the mix.
https://www.redhat.com/en/blog/7-linux-namespaces
After a quick view of the apptainer documentation it looks like it minimally takes advantage of user and mount namespaces. So each apptainer gets its own idea of what the users/groups are and what the file system looks like.
Flatpak is more about desktop application sandboxing. So while it does use user and mount namespaces like apptainer it takes advantage of more Linux features then that to help enhance the isolation.
Which appears to be the opposite of the point of apptainer. Apptainer wants to use containers that integrate tightly with the rest of the system with very little isolation versus Flatpak wants to be maximally isolated with only the permissions necessary for the application.
That isn't to say that apptainer can't use more Linux features to increase isolation. It supports the use of cgroups for resource quotas and can take advantage of different types of namespaces for network isolation among other things.
Now as far as "OSTree vs containers" statement you are replying to... This is kinda misleading.
OSTree is designed to manage binaries files in a way similar to git with text file. It isn't a type of container technology in itself. It just used for managing how objects on the file system are arranged and managed.
It is used by some flatpak applications, but it is used for things besides flatpak.
The 'containers' he mentioned is really a reference to OCI container image format.
OCI container images is, again, a way to manage the file system contents typically used in containers. It isn't a container technology itself.
It is like a tarball, but for file system images.
OCI containers is a standardized version of Docker images.
Due to the popularity and ubiquity of OCI image related tools and hosting software it makes sense for Flatpak to support it.
OCI images, when combined with bootc, also can be used to deploy Linux container images to "bare hardware". Which is gaining popularity in helping to create and deploy "immutable" or "atomic" Linux distributions. Fedora Atomic-based OSes seem to be moving to use Bootc with OCI over pure OSTree approach... although they still use OSTree in some capacity.
Incidentally Apptainer supports the use of OCI images (in addition to it's native SIF) as well as other commonly used container technologies like CNI. CNI is container network interface and is used with Kubernetes among other things.
Thanks a crazy lot for writing this as it actually made me genuinely understand the differences.
And also, I must say that one of the most underrated parts which you told which I didn't knew about was that apptainer can be "unisolated?" ie. we don't have to do crazy shenanigans for it to access my files and it can just do it simply.
Like someone else had mentioned https://nixery.dev/ and I wanted to see if I could use nix tools via docker and use them as if they were installed on my own system and apptainer really nailed it. I read that nixery.dev had to do some shenanigans to prevent the 150 layer or something but I suppose SIF doesn't have to deal with it so I am actually excited a little too haha. Thanks a lot!!
Side Note: I think that there might be better ways to run nix apps like nix-appimage but I am just trying out things because why not. Its fun.