> User, process, and filesystem namespacing. System call filtering. Ensuring even if there is a remote exec exploit there is no bash or anything else in the container for an attacker to use.
All of these are supported by systemd out of the box. You can use `SystemCallFilter=...`, and various options to restrict the file system (like `ProtectHome` and `ProtectSystem`) plus tons of other linux kernel features (capabilities, no new privileges).
Fair point, but there is also no portable spec for this that works beyond systemd and there are plenty of cases where systemd is not desirable.
Maybe you want to run on an embedded system, or a hardened immutable system where you don't actually need bash and coreutils etc.
The OCI spec gives us all these features in a compact and portable package independent of any particular init system while also providing a way to verify and update images with signature verification over a network so you need not even have attack surface like ssh to manage updates.
Don't get me wrong, I love systemd for my desktop, however for servers I don't want a single binary present that isn't strictly nessesary for my target binary to function as it just gives adversaries a foothold.
All of these are supported by systemd out of the box. You can use `SystemCallFilter=...`, and various options to restrict the file system (like `ProtectHome` and `ProtectSystem`) plus tons of other linux kernel features (capabilities, no new privileges).