How container achieve isolation from the rest of the system?

Through the use of namespaces and cgroups. Linux kernel has several types of namespaces:

• Process ID namespaces: these namespaces include independent set of process IDs
• Mount namespaces: Isolation and control of mountpoints
• Network namespaces: Isolates system networking resources such as routing table, interfaces, ARP table, etc.
• UTS namespaces: Isolate host and domains
• IPC namespaces: Isolates interprocess communications
• User namespaces: Isolate user and group IDs
• Time namespaces: Isolates time machine