[easygenes]

As mentioned to open, containers within VMs are a security standard for cloud-native when security is critical.

x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Bubblewrap is okay if you trust your kernel, but locking the app away in its own VM with its own kernel gives another layer to bust through.

[thefr0g]

> x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Yeah, thats what I meant, you can just use kvm and your gui/audio/etc. stuff directly instead of having all the unnessecary complexity and dependency those layers bring along.

> Bubblewrap is okay if you trust your kernel

Thats why I proposed it for when you don't need virtualisation. You can ofc also use it in a VM to further restrict processes.

[easygenes]

x11docker is really just a ~10K lines bash script. You'd just be reinventing or copying parts of it.

Kata or crosvm are kind of the only games in town as far as "micro VMs" go.