Y
Hacker News
new
|
ask
|
show
|
jobs
by
giantrobot
1948 days ago
We should call this newly invented and wholly original concept a "container". The software gets "contained". It just might work. /s
2 comments
eecc
1948 days ago
You mean cgroups, or zones don’t you? Docker (was, last time I heard) a security disaster, not generating robust layer hashes, lacking user isolation, and plenty just running as root...
link
giantrobot
1948 days ago
There's more to containers on Linux than just Docker.
link
ampdepolymerase
1948 days ago
To be fair you need to go to the hypervisor level (like Firecracker) to get any decent level of sandboxing.
link
progval
1947 days ago
For security by isolation, you don't even need containers. Just run each application as its own user.
This is already done by most (all?) daemons packaged in Debian that don't need to be root.
link