Cgroups are important for stability, but they are not a security boundary. They prevent denial-of-service, not escape. A process constrained by cgroups still makes syscalls to the same kernel with the same attack surface.
「我尊重所有人的選擇,但同時也希望所有人尊重我們的選擇,但是所有的大前提都是:『我們有得選』,」他說。
,这一点在服务器推荐中也有详细论述
后来,她谈过3个男友,3个男友都给她钱花,又出去玩,每次都被她知道,前两次,她还会心痛,到最后一次,她彻底心灰。“遇到的人都很爱玩,不是不爱你,爱你他还要搂别的女孩。婚姻就是一张纸,真爱不用结婚,婚姻没有安全感,钱和工作才有安全感。”
Никита Абрамов (Редактор отдела «Россия»)
What this means in practice is that if someone discovers a bug in the Linux kernel’s I/O implementation, containers using Docker are directly exposed. A gVisor sandbox is not, because those syscalls are handled by the Sentry, and the Sentry does not expose them to the host kernel.