[cheph]

To me most Ubuntu things like LXD, Mir, snap feels like it was made by someone who did not understand the existing solutions and could not be bothered to understand it. There may be some points where LXD is "better" (they keep bringing up uid/gid mapping) but it really does not provide the same functionality as OCI containers and does not enable the same workflows as OCI containers.

LXD is not an alternative to Docker or K8S, it is something different which offers different features.

And if we are just talking docker, and not k8s, then all the security you can ever want can be found in podman which by default operates rootless and daemonless and works on stock standard OCI containers.

If we are talking k8s there are already runtimes which support rootless operation like cri-o and there are k8s distros that support rootless operation https://github.com/rootless-containers/usernetes - these maybe are not as widely used as they should be and work is ongoing but you will soon see more of them I think.

[dragonsh]

LXC existed before Docker and indeed as I said Docker initially built on top of LXC. So LXD is not an afterthought as you tried to put it, it’s way before Docker and k8s. Docker and k8s became popular given marketing money put on them.

Also rootless container has been a feature of LXC since 1.0 in 2013-14, which could not be incorporated in Docker as they tried to re-invent the wheels by writing their own libcontainer which eventually resulted in many vulnerabilities which even impacted k8s even in 2019.

Still today unless one use a managed version of k8s or use managed service by major cloud provider the infrastructure will be insecure with k8s given most of the Docker images still not tested as rootless containers. Also for a small team it’s pretty hard to have secure self-hosted k8s infrastructure given sheer complexity and moving parts.