> could have adopted jails instead of creating i've lost count of how many "container" technologies
The "many technologies" are mostly user-level wrappers though. What actually happened in the kernel: they've added unshare(2) early on, but it only isolated filesystem mounts at first. Later they started gradually adding more things for it isolate: network, PID, IPC and users. The "users" part arrived really late and is kinda bad… that's why for a very long time you weren't supposed to give people root in a docker container, and I think it's still not recommended. That's quite hilarious, considering that jails' main purpose literally was "containing root", and it fucking worked great since the early 2000s.
> they will toss iptables eventually and write something similar but not quite as good as pf
The "many technologies" are mostly user-level wrappers though. What actually happened in the kernel: they've added unshare(2) early on, but it only isolated filesystem mounts at first. Later they started gradually adding more things for it isolate: network, PID, IPC and users. The "users" part arrived really late and is kinda bad… that's why for a very long time you weren't supposed to give people root in a docker container, and I think it's still not recommended. That's quite hilarious, considering that jails' main purpose literally was "containing root", and it fucking worked great since the early 2000s.
> they will toss iptables eventually and write something similar but not quite as good as pf
nftables is precisely that :D