[AlphaSite]

Hey, there are plenty of solutions which combine the best of both worlds; for example https://www.vmware.com/products/vsphere/integrated-container...

[icebraining]

How is that the best? You're still running a full kernel for each container, rather than sharing it.

[gaius]

But, so what? VMWare under the hood is sharing common pages between VMs, and a kernel that isn't doing anything isn't consuming any CPU, so why not?

[icebraining]

Nope, common pages are no longer shared between VMs, because it was demonstrated that was a bad idea, security-wise:

upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default

https://kb.vmware.com/selfservice/microsites/search.do?langu...

[AstralStorm]

Guess what, if it is a bad idea for a VM, it must be exponentially worse for something less isolated.

[icebraining]

Yes. Thankfully, the point is that using the regular container model you don't need memory page sharing, because there's only one kernel anyway, not a copy per each container.

[AstralStorm]

Page cache and disk cache are quite shared between containers...

[j_s]

Administrators may revert to the previous behavior if they so wish.

Sounds like a sane change to the defaults, but anyone who isn't securing against 3rd party code can turn it back on (to return to much more Docker-like security/performance).