
Ask HN: Does FireJail reduce the need for Docker? - notsony
https:&#x2F;&#x2F;l3net.wordpress.com&#x2F;projects&#x2F;firejail&#x2F;<p>Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.<p>$ firejail firefox            # starting Mozilla Firefox<p>$ firejail transmission-gtk   # starting Transmission BitTorrent<p>$ firejail vlc                # starting VideoLAN Client<p>$ sudo firejail &quot;&#x2F;etc&#x2F;init.d&#x2F;nginx start &amp;&amp; sleep inf&quot;
======
gmuslera
Look a lot like containers. But docker is a bit more than that, the first that
jumped to my attention is what is related to filesystem (layered images,
repositories, CoW image+running container fs, volumes) seem to be missing. It
runs everything in the normal filesystem by default?

The ecosystem build around it (compose, kubernetes, weave, machine, swarm,
etc) will be missing too.

Its desktop app focus made me remember of
[http://subuser.org/](http://subuser.org/) that is docker based, but maybe it
have less requirements.

But is another voice in the container space, and could be more fitting than
other alternatives for some use cases.

------
twunde
It looks like more of a complement to docker than an alternative. Docker does
a good job of making apps/services deployable without really having to care
about the infrastructure underneath. One of Docker's current issues is a lack
of security (a security breach in one container can be exploited to access
other containers on the same machine since containers share resources with
each other)

If I'm reading the documentation correctly, this doesn't do virtualization ala
freebsd jails or true containers but is more like a chroot jail, which grants
a locked-down view of a filesystem

