The Drawbridge[1] stuff is pretty interesting looking. I really wish MS would ship a simple sandboxing solution, so I can run arbitrary binaries and restrict them. The new Metro app stuff is cute, but doesn't help with the millions of existing binaries. Nor does it seem very user-friendly or useful, for that matter.
A UWP sandboxing solution was demoed at Build this year and will ship as part of the Anniversary Update (SDK?). Apparently even Age of Empires II worked under it.
Centennial isn't really a sandbox in the sense I think the poster above you meant - while processes have their reads/writes to certain filesystem/registry locations virtualized by default, this isn't a security boundary as they ultimately run at medium trust and can do anything the user can do.
AppContainer is the security sandbox used by modern apps (aka Metro/UWP). It can be used independently of other aspects of the modern app model - e.g., Chrome uses it to sandbox content processes - although this isn't documented very well (which I guess was what GP was complaining about?) and it seems like trying to sandbox apps that weren't designed to be sandboxed, as GP was wanting, would have inherent compatibility problems?
This is fascinating :-) I was wondering if they leveraged their environment subsystem framework - nice to have this confirmed!
A long time ago I wrote the Wikipedia article on the architecture of Windows NT. It obviously needs an update, but I think it's still quite relevant and explains in a vastly simplified manner how Windows Fitz together.
It's interesting that this was enabled by the Drawbridge work. I was somewhat under the impression that Drawbridge was dead and/or superseded by other container-related projects. It's often weirdly hard to find out what's going on with some particular Microsoft project or technology, even for those of us who are employees. I was pretty excited about Drawbridge ~3 years ago when I was working with it but it subsequently seemed to have vanished.
I created an account just to reply to this. You said, "It's often weirdly hard to find out what's going on with some particular Microsoft project or technology..." I was just thinking that very thing today. Why is that?
It's not as bad as Amazon, apparently. I've known people there who say everything is compartmentalized. At Microsoft, it's typically only the bleeding edge stuff they keep secret internally.
Keeping things secret is only a part of the problem. Corporate utter forgetfulness of the past is another. Consider the tale related by Stephen Walli (referenced at https://news.ycombinator.com/item?id=11560510) about the Microsoft people who didn't even know that Microsoft had the SFUA/SUA with Windows NT.
> "I had to explain to the [Windows High Performance Computing team] that they already owned the technology they needed, but to no avail. They couldn't get their head around the idea."
While this is an interesting technical overview, could anyone give me an idea of how to reinstall lxrun? The blasted thing doesn't work for me anymore and there's basically no documentation on how to fix it other than reinstalling Windows 10. Yes, I've tried lxrun /uninstall /full followed by lxrun /install.
Edit: in fact, I think the problem with my installation has to deal with Windows' NTFS not natively being capable of understanding the lxss file attributes...
> The primary role of SUA was to encourage applications to get ported to Windows without significant rewrites.
Is this a supported use of the Linux subsystem?
Running native Linux apps directly is great if it works but there are going to be cases where the app would 99% work except for that one thing Linux has and the Linux subsystem doesn't. Maybe Microsoft doesn't provide a tun/tap driver so you need to use TAP-Windows.
It would be convenient to be able to change only that without having to worry about the subtle differences in the Windows version of inet_ntop() and the call to make a socket non-blocking and that Unicode on Windows is UTF-16 instead of UTF-8 and so on.
I was just thinking after reading this - sure there were some engineering marvels that enabled this, but for the implementation it was just rote work with the sheer manpower Microsoft can muster up. That in itself is just really impressive.
Edit: giving it more thought, a Mozilla engineer recently demo'd an immediate mode rendering engine that him and one other dev wrote in 9 months, with feature parity of modern browsers. So either way - big engineering effort or a couple '10x developers' - pretty impressive .
... which is notable because it is not immediate mode but the first retained mode renderer in a browser. Also, they used Rust to cut down on the time spent debugging threading issues.
I think I read somewhere else that they use a better implementation here. Cygwin and SUA being user-mode pieces were limited to a slow fork, but in kernel mode they can emulate things properly.
Does the fork performance really matter these days anymore? I mean comparing from one side to the speed of loading the app itself, fork is usually super cheap; on the other comparing to per-process async event handling, it's so slow pretty much nobody uses it this way for network apps anymore. What's the use case for a fast fork today?
I don't know if it is due to various fork implementations being slow on Windows, but programs that spawn a lot of subprocesses like build tools can be really slow [1].
I would love to see some numbers for those from Bash on Windows.
Does fork on windows actually block parent for a long time, or does it only delay the child? I thought it was the latter, which shouldn't affect Redis. (but I may be wrong)
Not to be a dick, but you're probably not doing it correctly. It asks you to reboot on the spot, for one. When I first tried to do it, I couldn't figure it out without instruction. It's a fairly long process considering it's just a simple item. It should be as easy as switching on Hyper-V...but it's not. Granted it's still in beta.
I've had the update issue with a "normal" Windows 10 installation (upgraded from 7 without reinstall, which went well, seemingly). It always found updates but then failed (silently) to install them, and so on.
1: http://research.microsoft.com/en-us/projects/drawbridge/