Containers and Chroot

Created: 02.02.2025
Updated: 23.03.2025

• Docker solves a problem that shouldn't even exist, reproduciable builds. (also some security and encapsulated environment)
• If u can avoid it don't use it, just try to get statically linked binaries, without runtime dependencies and use chroot, unveil and pledge and it's equivalent on linux.
• Application level security is better than ennvironment level security, because it can be more restrictive.
• Can also use on openbsd one user for each application.

• Use podman
• building own container runtime
• https://github.com/adamgordonbell/chroot-containers
• https://earthly.dev/blog/chroot/
• chroot just changes the root / pointer to somewhere else
• link your stuff statically, so the container runtime needs nothing (or dynamically but just libc is needed)