Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

chroot's aren't namespaced, which is a big important difference. Being able to kill the entire container by killing it's init process (and keep it's processes out of the host namespace) is a huge deal.


Most of these implementations actually kill all processes in the namespace, not just init. First, there may not be an init (the root process could be the service, which is actually a best practice with respect to containers); and second, the signal may not be propagated to its children, especially if a non-trappable signal (e.g. SIGKILL) is sent.


A sigkill is sent to everything in the namespace if the init/root process dies anyway. So effectively it is auto propergated.


chroot's aren't namespaced

Sure they are. If you chroot apache to /var/www, then /var/www is now / in the chroot'ed namespace.


Yeah, and if "everything is a file" was actually true, then the filesystem would be the only namespace you needed to care about.

It isn't.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: