cgroups isolation #87
Replies: 6 comments 11 replies
-
sorry for haiku style of writing, just trying to say there is niche with no tool. there are containerd/podman/docker/fobarbaz which copy files - slow. but process compose can make step closer to these (may be using systemd/launchd/ windows whatever or build your own docker in 200 bash lines - see how hacker new about it). really, i have never seen such product ever. |
Beta Was this translation helpful? Give feedback.
-
will donate 100USD in crypto port cgroups support. |
Beta Was this translation helpful? Give feedback.
-
What do you intend to isolate with cgroups? Cgroups are for resource management (cpu, ram etc). For network and disk isolation you need to use namespaces. Btw for network and file system isolation have a look at https://github.com/nixpak/nixpak maybe you could use it together with pc and https://github.com/Platonic-Systems/process-compose-flake |
Beta Was this translation helpful? Give feedback.
-
https://iximiuz.com/en/posts/you-dont-need-an-image-to-run-a-container/ so in theory pc can just run bundles on linux))) i am not sure if windows or mac can do. |
Beta Was this translation helpful? Give feedback.
-
https://github.com/phylum-dev/birdcage seems closes thing possible. in YAML of PC add additional metadata. so that some kind of wrapper reads it, and instead of running exe directly wraps than itno Mac/Linux sandbox, and generates new yaml. so making this part of PC is just simpler |
Beta Was this translation helpful? Give feedback.
-
so, with docker we have decent isolation, but need copy all - slow.
with nix, it has cgroups, it has partial isolation - but shares binaries - they hashed - so no binary deps hell.
with process compose, i am hacking so that 2 process share files without even visible in yaml about it.
also cannot split 2 processes networks.
if i start thinking about exporting compose file from process compose, cgroups/chroot for some files and some cgroup for ports makes sence.
really, on linux(btw, windows and mac has sandboxing without container copy all too) process compose can be made better than docker and docker compose.
because it may isolate write some reads and ports listen, but still share deps.
Beta Was this translation helpful? Give feedback.
All reactions