12:14 p.m.
Am 05.10.2021 um 16:58 schrieb Daniel Walsh:
Perhaps lxcd is using some kind of seccomp filtering kernel. Podman
theoretically supports gVistord as a OCI Runtime, which intercepts all
Syscalls of the container. You could also use kata oci runtime to do the
syscalls within a qumu kvm process. libkrun provides similar
functionality.
I've played around with "ignite", which uses Firecracker. But because of
the update of the shim API (?), it shot itself incompatible with Podman.
Thanks for `libkrun`, I'll give it a try.
Back to the topic: I understood his comment that way that he approved of
LX[C,D] having direct access to the kernel as a benefit, while Podman
and others have a "transition layer". I think the original author
misunderstood something there, since this seems to be wrong. He's also
in IRC in channel ##proxmox. Maybe we can clarify this.