What this means in practice is that if someone discovers a bug in the Linux kernel’s I/O implementation, containers using Docker are directly exposed. A gVisor sandbox is not, because those syscalls are handled by the Sentry, and the Sentry does not expose them to the host kernel.
Екатерина Грищенко (старший редактор отдела «Бывший СССР»)
,推荐阅读旺商聊官方下载获取更多信息
their look and feel.
Water resistance: IP54 (splash resistant)