|
|
|
|
|
|
by ian-lewis
2597 days ago
|
|
|
Rather that the contain/don't-contain dichotomy, what's more important is gVisor's design principle that it always has 2 layers of isolation from the host and doesn't rely on any one bug in the Linux kernel, sentry, or elsewhere in order to break out of the sandbox. This leaves you less exposed to 0-day attacks and lags in patching kernels. You can't get that from normal Linux containers due to their fundamental design. |
|
|