Explicit backpressure
A frontend is a container image that BuildKit runs to convert your build definition (Dockerfile, YAML, JSON, HCL, whatever) into LLB. The frontend receives the build context and the build file through the BuildKit Gateway API, and returns a serialized LLB graph.
,这一点在safew官方版本下载中也有详细论述
What this means in practice is that if someone discovers a bug in the Linux kernel’s I/O implementation, containers using Docker are directly exposed. A gVisor sandbox is not, because those syscalls are handled by the Sentry, and the Sentry does not expose them to the host kernel.
"It's been investigated for many years," says Read, acknowledging that elastomers have yet to revolutionise actuator tech. "Often with these technologies, you have to keep pushing."