|
|
|
|
|
|
by shawnee_
2736 days ago
|
|
|
It doesn't, really. Since there are umpteen ways to do things in GNU/Linux, developers often end up with less-than-ideal implementations for what they are trying to do using a single user account. The single-user approach creates clashes between the network devs who want to build empires of containers they "own", and the stack-level bare metal purists who want the system to be as clean and secure as possible by isolating things where they should be isolated (to a single user instance for that purpose alone). This is not a new problem, nor a very well thought-out solution. Containers are always a less-than-ideal implementation for people running Linux natively. The ideal way to sandbox in Linux is create a user account, download and test whatever code, see what breaks or infringes with its unique notion of "privileges", and delete the user when done. But because you can't switch users on the same kernel when you're not running Linux natively, we have containers and all the messes they create. https://developers.slashdot.org/story/12/12/29/018234/linus-... |
|
|
So people thought that instead of fixing the apps it was easier to fix the kernel. But this resulted in a big complexity with namespaces, capabilities, cgroups etc.