Very interesting project. 

What’s the benefit over using docker ? Don’t need root access ?

> On 28 Jun 2020, at 21:27, Parke <parke.nexus@gmail.com> wrote:
> 

On Sun, Jun 28, 2020 at 1:22 PM admin@extremeshok.com
<admin@extremeshok.com> wrote:
> Very interesting project.

Thanks.

> What’s the benefit over using docker ? Don’t need root access ?

Correct, root access not required.  But also:

(Much?) smaller(?) codebase.  Probably also much smaller executable
size:  A debug build of lxroot is 355KB.  Compiled without debugging
info, lxroot is 132KB.

More transparency?  (lxroot makes it easy to know where all the files
are.  lxroot makes it easy to know which user IDs will be used.)

Easy to "share" files (by bind mounting directories) between the host
and lxroot environments.  Or between two lxroot environments.

Conceptually simpler?  Fewer moving pieces make lxroot easier to understand?

The above are mostly guesses, as I have never used Docker.  I have
tried to use LXC and LXD, but I was never satisfied with the results.

June 28, 2020 5:03 PM, "Parke" <parke.nexus@gmail.com> wrote:

> (Much?) smaller(?) codebase.
> More transparency? 
> Conceptually simpler? Fewer moving pieces make lxroot easier to understand?
> 
> The above are mostly guesses, as I have never used Docker. I have
> tried to use LXC and LXD, but I was never satisfied with the results.


True on all counts, but comparing Docker to lxroot is very apples and oranges.
Docker just uses cgroups for isolation - same thing you use, and is really
more of a convenience wrapper for development, and includes things like
full network and storage subsystems. Totally different things.

lxroot looks dope though, can't wait to try it out.
Running an Alpine subsystem is something I've been thinking about for awhile.

On Mon, Jun 29, 2020 at 9:45 AM <j3s@c3f.net> wrote:
> Docker just uses cgroups for isolation - same thing [lxroot] use[s],

I believe namespaces are distinct from cgroups (but I could be wrong).

From https://en.wikipedia.org/wiki/Cgroups#Namespace_isolation :
"While not technically part of the cgroups work, a related feature of
the Linux kernel is namespace isolation ..."

lxroot uses user namespaces, specifically:
the mount namespace
the network namespace
the process namespace
the user namespace

According to the above Wikipedia link, there is a "Cgroup namespace",
but I believe lxroot does not use the Cgroup namespace.

----

Another nifty consequence of lxroot's design is that you can lxroot
into '/' (the root directory itself), while at the same time doing
bind mounts and possibly mapping the uid and gid to zero, or dropping
network access.  This allows you to run software in an "altered
version" of the host OS itself.  (This might be somewhat similar to
firejail.  But, as with Docker, I have never used firejail.)