I loved this hands-on presentation Containers From Scratch by Liz Rice from few years ago <a href="https://www.youtube.com/watch?v=8fi7uSYlOdc" rel="nofollow">https://www.youtube.com/watch?v=8fi7uSYlOdc</a>.<p>Today, Linux containers in (less than) 100 lines of shell by Michael Kerrisk was published <a href="https://www.youtube.com/watch?v=4RUiVAlJE2w" rel="nofollow">https://www.youtube.com/watch?v=4RUiVAlJE2w</a>.
> Importantly, we designed Styrolite with full awareness that Linux namespaces were never intended as hard security boundaries—a fact that explains why container escape vulnerabilities continue to emerge. Our approach acknowledges these limitations while providing a more robust foundation.<p>So what do you do, exactly?
When I was digging into Container (a.k.a it uses linux namespace capabilities) lwn.net's series of article helps me a lot.<p><a href="https://lwn.net/Articles/531114/#series_index" rel="nofollow">https://lwn.net/Articles/531114/#series_index</a>
I've seen many examples of people creating containers for Linux; I wish it were comparably easier to create containers for Windows. The fundamental software exists on Windows (AppContainers are how UWP apps work) but the documentation around AppContainers is very sparse/opaque because Microsoft doesn't want you to use AppContainers to make a general purpose sandbox environment like Snap or Flatpak; they want you to write UWP apps. It would be immensely helpful if you could run any arbitrary win32 or higher application in a sandboxed AppContainer where the NT System calls only had access to, say, the application's local folder and its %APPDATA% folder.<p>Alas, I think that Microsoft has simply given up on Native application support on Windows. Currently the only good way to write native apps for windows is still Win32/MFC and Winforms.<p>In fact, I think that secretly even Microsoft knows that everyone hates their UI frameworks/runtimes (and the fact that Microsoft deprecates them 2 years into their lifespan) because Microsoft STILL provides modern .Net 8/9 bindings for Winforms in 2025. If only they would just replace the GDI renderer with Direct2D, it would be literally perfect
We are an algorithmic trading company [0], and our trading strategies are primarily built as pure Rust libraries. We've been searching for a way to sandbox the strategies we host, as not all of them are signed or open source for verification. Styrolite seems like a promising solution to address this issue, so we’re planning to give it a try.<p>[0]: <a href="https://cycletop.xyz" rel="nofollow">https://cycletop.xyz</a>
Why not use any of the existing OCI Runtimes? They take well-defined[0] JSON description as input, and are pretty well-contained (single static binary). And because they are separate binaries, not libraries, you don't need to worry about things like thread safety or FD leaking.<p>[0] <a href="https://github.com/opencontainers/runtime-spec/blob/main/config.md" rel="nofollow">https://github.com/opencontainers/runtime-spec/blob/main/con...</a>
How does this compare to recently discussed Landrun?<p><a href="https://news.ycombinator.com/item?id=43445662">https://news.ycombinator.com/item?id=43445662</a>
Isn’t the gold standard of containerisation gVisor? Can’t get much more restrictive than proxying and filtering syscalls. As far as I remember it’s the default runtime on GKE.