Re: Article: State of Sandboxing in Linux

[Evan Carroll <me () evancarroll com>]

> You might want "sydbox", though I wouldn't know.

Historically, there were 10,000 different ways to sandbox things. From
chroots, to firejails. I however don't understand why anyone would
entertain any of these pre-containerization methods today. That's why I'm
questioning what's the purpose of comparing different sandboxing methods in
isolation of the current status quo -- containerization. Why would anyone
want sydbox (whatever it is) over rootless podman?

By the way, you mention "when would I want [...] over kernel
> user-namespaces", which I think is a complete and utter misunderstanding
> of the problem domain.
>
> sydbox documents that one of the technologies it uses in its source code
> is user namespaces. Generally, "user namespaces" isn't a program you
> use, it's a technique you can make use of in the source code of another
> program entirely... such as sydbox or at a high level, podman.

Right! And if it's not providing anything except user namespaces, and
cgroups, and secgroups, it's just another containerization tool. So why
introduce a term that has fallen entirely into disuse like "sandbox" that
includes technologies that predate contianers. As far as I can see, that's
adding complexity and explaining nothing. And, why not compare these tools
against the 600 lb gorilla in containerization: rootless podman.

> From looking through the sydbox homepage, and very quickly checking for
> keywords such as "podman", I got pointed to this link:
>
> https://man.exherbolinux.org/syd-oci.1.html
>
> It suggests that the relevance of this software to podman is that you
> can use "sydbox" as an OCI runtime for podman, to replace "crun" or
> "runc", via:
>
> podman run --runtime=syd-oci

So now we're getting at it: syd isn't a "sandboxing" thing at all. It's a
container runtime. And now the 100 million dollar question is very simple,
how does this container runtime compare with youki, which is also in rust
and it clearly says it's based on, from your link "It is largely based on
youki": Youki has 113 contributors. Sydbox seems to be a one man show
https://gitlab.exherbo.org/sydbox/sydbox/-/commits/main/?ref_type=HEADS

Not that this is reason enough not to take it seriously. But the blog entry
we need doesn't compare it to esoteric tech in Gentoo (which no one uses).
It's a comparison between it and Youki that explains how each of the points
under "capabilities" is different from Youki which doesn't use a
"unikernel" and claims many of the same capabilities (because as you said,
they're all using user-namespaces, cgroups, and secgroups under the hood).

--
Evan Carroll - me () evancarroll com
System Lord of the Internets
web: http://www.evancarroll.com
ph: 281.901.0011 <+1-281-901-0011>