|
|
|
|
|
|
by i4k
3730 days ago
|
|
|
I really liked the architecture, but I don't think container is a good name for the kind of isolation it has. For the machinery work as expected, the namespaced application must follow the Oz-rules/policies. Container nowadays are complete environments, everyone with different rootfs and so, very different of the kind of container required in subgraph. It can lead to misinterpretation, because I cannot reuse existent distros/rootfs and package managers to run other applications in subgraph. As I've understood, subgraph only bind-mount the common directories from host to the namespace mount point of process on top of a tmpfs. Hard to reuse an ubuntu app. How persistent data will be managed isn't detailed in the document. Seccomp-bfp is a good enhancement. It can really fix the well know security issue of docker when using volumes with write permissions. Still wondering what's the plan for persistent data. If someone has more info, please share :) |
|
|