both Docker and bubblewrap are not secure sandboxes. the only way to have actual...

gf000 · 2026-02-03T22:34:36 1770158076

What about cgroups? I know they are not exactly analogous, but to me that seems like a pretty decent solution.

senko · 2026-02-03T20:59:24 1770152364

No disagreement from me. From the article:

> Bubblewrap and Docker are not hardened security isolation mechanisms, but that's okay with me.

Edit to add: my understanding is the major flaw in this approach is potential bugs in Linux kernel that would allow sandbox escape. Would appreciate your insight if there are some easier/more probable attack vectors.

its-summertime · 2026-02-03T21:36:53 1770154613

Do you have more information on how to set up such VMs?

ushakov · 2026-02-03T21:46:37 1770155197

for personal use, many ways: Vargant, Docker Sandbox, NixOS VMs, Lima, OrbStack.

if you want multi-tenant: E2B (open-source, self-hosted)

eikenberry · 2026-02-03T23:45:32 1770162332

Hashicorp has mostly abandoned Vagrant, so I'd avoid it.