[SunlitCat]

VMs are awesome for what they can offer. Docker (and the like) are kinda a lean VM for a specific tool scenario.

What I would like to see, would be more App virtualization software which isolates the app from the underlying OS enough to provide an safe enough cage for the app.

I know there are some commercial offerings out there (and a free one), but maybe someone can chime in has some opinions about them or know some additional ones?

[peddling-brink]

That’s what containers attempt to do. But it’s not perfect. Adding a layer like gvisor helps, but again the app is still interacting with the host kernel so kernel exploits are still possible. What additional sandboxing are you thinking of?

[SunlitCat]

Maybe I am a bit naive, but in my mind it's just a simple software running between the OS and the tool in question which runs said software in some kind of virtualization, passing all requests to the OS after a check what they might want to do.

I know that's what said tools are offering, but installing (and running) docker on Windows feels like loading up a whole other OS insides OS, so that even VM (Software) looks lean compared to that!

But I admit, that I have no real experience with docker and the like.

[stacktrust]

HP business PCs ship with SureClick based on OSS uXen, https://news.ycombinator.com/item?id=41071884

[SunlitCat]

Thank you for sharing, didn't know that one!

[stacktrust]

It's from the original Xen team. Subsequently cloned by MS as MDAG (Defender Application Guard).

[SunlitCat]

Cool! I know MDAG and actually it's a pretty neat concept, kinda.