It's a lot more now. eBPF expanded it into something scarier and added use cases like profiling rules.
The problem is that they exposed it rather than virtualizing it. Latter should be possible w/seccomp
-
-
An example is that containers have access to all of netfilter for setting up their own firewall rules.
-
Totally understand what you mean. I'm saying their access should be only to a virtual netfilter...
-
...running in userspace as the uid that created the container with no special access to real kernel.
-
Virtual machines would end up being faster. Really hoping that https://lwn.net/Articles/644675/ … is a success.
-
I don't think so, and they seriously require kernel-level facilities (MMU virtualization).
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.