Docker shares the host kernel, so a container escape lands on your box, and bubblewrap stays lighter but it leak edges if you leave seccomp or fs mounts loose.
replyZerobox reads like a tool for per-command guardrails instead of image management. That trade looks saner for local runs, though it's new enough that I'd expect a few escapes before the rough egdes are gone.
The text says that it uses OS-level tools, specifically bubble wrap on Linux.
replyThat's right. It uses the same kernel mechanisms as Docker, the runtime is different though (bwrap on linux, seatbelt on mac, etc.)
reply