|
|
|
|
|
|
by ashishb
2 days ago
|
|
|
> 1. Docker (or any Linux container runtime, for that matter) is not intended for, designed for, or effective as a security boundary. This has been discussed in detail earlier - https://news.ycombinator.com/item?id=47612726 Further, on Mac OS, you can use `--mode=native` for Mac's native sandboxing (seatbelt). > 2. Root containers run as root on the host. The "sandboxed" processes have full capabilities, as far as the kernel is concerned with them. That's not always the case.
You can run rootless containers or you can use containerization like Podman which does not run as root. |
|
|