I agree a platform-independent API would be very useful, but I wonder how close the semantics are.
I think a process-isolation model, possibly with capiscum, is more interesting than the LXC-like "VM model" (which does seem messy to me). I don't need an init process and fake hardware inside the container. Just Unix process tree isolation.
For example, I think BSD jails have the option to use host
networking, which in Linux is analogous to not using network namespaces.
https://wiki.freebsd.org/Hierarchical_Resource_Limits
If so I'm curious how they compare with cgroups.
I agree a platform-independent API would be very useful, but I wonder how close the semantics are.
I think a process-isolation model, possibly with capiscum, is more interesting than the LXC-like "VM model" (which does seem messy to me). I don't need an init process and fake hardware inside the container. Just Unix process tree isolation.
For example, I think BSD jails have the option to use host networking, which in Linux is analogous to not using network namespaces.