I recently learned about nsjail, a utility to sandbox applications or provide workload isolation.
It seems to be lighter weight than firejail and possibly better suited for server applications.
Has anyone used this? What's your experience with it? I'm curious about using it for my web server applications as an additional layer of Dr hotty.
Thanks a lot for taking the time to explain.
I did notice CTF on the description so I imagine "escaping" it is "harder" than with containers. I recently participated to SplinterCon which included a "block-a-thon" (cf day 2 of https://splintercon.net/brussels/ ) to try to escape a limited environment, approximately simulating the limited Internet access of some political regime. It might be interesting in that context too.
Could also be interesting then to distinguish which defaults are changed compared to Docker ones or examples for which nsjail is currently preferred.