alt Hacker NewsPersonally I would probably always reach for a docker container if I want a sandboxed command that can run identically anywhere.
I appreciate that alternate sandboxing tools can reduce some of the heavier parts of docker though (i.e. building or downloading the correct image)
How would you compare this tool to say bubblewrap https://github.com/containers/
Replies
ebb_earl_co • today at 5:50 PM
The text says that it uses OS-level tools, specifically bubble wrap on Linux.
➕ show 1 reply
Docker shares the host kernel, so a container escape lands on your box, and bubblewrap stays lighter but it leak edges if you leave seccomp or fs mounts loose.
Zerobox reads like a tool for per-command guardrails instead of image management. That trade looks saner for local runs, though it's new enough that I'd expect a few escapes before the rough egdes are gone.