Comment by its-summertime

Edit: Sorry for what an opinionated mini rant this comment has become while typing it ;;

> The so called ‘rootless’ Podman seems to be advertised as being on the same level of isolation as Jails – but only if You run that Podman with properly configured and enabled SELinux/AppArmor solutions.

That ignores user namespacing, the subsequent namespacing for mounts, networks, etc. So I'm confused as to where the it-only-is-secure-with-selinux comes from.

> Then the Jails are better isolated again

How so.

- - -

> Even ‘rootless’ Podman has full access to all Linux kernel syscalls

from https://podman.io/blogs/2019/10/15/generate-seccomp-profiles...

Most container tools use a default seccomp filter which was initially written by Jesse Frazelle for Docker

- - -

> Jails have restricted use of FreeBSD kernel syscalls without any additional tools

Which ones

> You can NOT dedicate any physical interface to the ‘rootless’ Podman container

I'm confused by what you mean "physical" here.

Can also disable networking, which is mentioned for jails for some reason. So is other VPN-like options, not mentioned for Podman.

https://www.procustodibus.com/blog/2022/10/wireguard-in-podm... as an example

> firewall

https://discuss.linuxcontainers.org/t/how-does-nftables-work...

> comparing CVE counts and nothing else

Come on

- - -

This article seems like it would strongly contribute to people misunderstanding things.