Hacker News new | ask | show | jobs
by dwattttt 48 days ago
I'm no expert, but the kernel is shared between all containers and the host.

I don't believe the kernel maintains separate page caches for each container; a malicious CI job could corrupt a binary from any container, or the host.
1 comments
firesteelrain 48 days ago
Only if there is a shared inode between host and container.
link
duped 48 days ago
Which is almost guaranteed if you're launching multiple containers with the same base image or shared layers.
link