On Mon, Oct 04, 2021 at 05:09:33PM +0200, Tobias Wendorff wrote:
> I just had a talk with some LXC nerds.
>
> Their opinion is that unprivileged LXC is more secure than Docker and
> similar solutions. These would translate the syscalls to userspace, to not
> have a direct interface to the kernel. In LXC, the syscalls themselves would
> have built-in namespace awareness in the kernel itself, but without a
> translation layer.
>
> How does this statement relate to the security of a container running in
> rootless Podman in a normal user? Could the "translation layer" introduce
> trouble?
I am really confused about the translation layer you are mentioning I
have not heard of it before.
Maybe seccomp with BPF filtering is meant.
There's the userspace notification mechanism which does something like this.
I just had a short chat with the core LXC maintainer and he also says
this email is mainly confusing. It seems like your source of information
is not reliable of confusing certain concepts. Can you maybe be a bit
more specific what you are looking for?
Adrian
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io