|
|
|
|
|
|
by cpburns2009
5 days ago
|
|
|
I think process namespaces is what both Docker and Podman use along with cgroups for isolation. It should provide meaningful containment, and I was originally pursing using rootless Podman. But after hearing about the Copy Fail and recent container escape vulnerabilities, I'm concerned that is not enough. That's why I've opted for VM-level isolation, but at a more convenient level using KVM than full-fledged VMware VMs. I admit I'm not an expert in this space so maybe I'm overly cautious. |
|
|