It's all hard work. The primitives of containerization are in the kernel, but executing and managing them, especially securely, takes a fair amount of trial and error to do it right.
Why is so hard to read an article from someone that is developing containers?
Quote: "Again, containers were not a top level design, they are something we build from Linux primitives. Zones, Jails, and VMs are designed as top level isolation."
Docker adds packaging and distribution, but the hard work is in kernel.