gVisor: Building and Battle Testing a Userspace OS in Go
TL;DR A container is a package format and a content addressable bundle of content addressable layers! namespaces and cgroups are two key features of Linux kernel enabling containerization. Containers running on a host share a single Linux kernel! (a singler scheduler, a single memory manager, and so on) The Linux kernel has so many known and unknown bugs! Sandboxes are a way of getting an extra layer of isolation for containers....