Comment on What's the deal with Docker?
aksdb@lemmy.world 10 months agoTbf, systemd also makes it relatively easy to sandbox processes. But it’s opt-in, while for containers it’s opt-out.
Comment on What's the deal with Docker?
aksdb@lemmy.world 10 months agoTbf, systemd also makes it relatively easy to sandbox processes. But it’s opt-in, while for containers it’s opt-out.
loudwhisper@infosec.pub 10 months ago
Yeah, and it also requires quite many options, some with harder-to-predict outcomes. For example RootDirectory can be used to effectively chroot the process, but that carries implications such as the application not having access to CA certificates anymore, which in general in containers is a solved problem.