[HN Gopher] Windows Sandbox ___________________________________________________________________ Windows Sandbox Author : spansoa Score : 109 points Date : 2023-04-02 18:27 UTC (4 hours ago) (HTM) web link (learn.microsoft.com) (TXT) w3m dump (learn.microsoft.com) | doubleorseven wrote: | It's a great tool. We've been using it as a windows replacment | for Linux live. I have 2 wishes from this feature. 1. Use more | than one screen. 2. Have the ability to extend the dockerfile so | i can preinstall software. | nabilhat wrote: | For (2.) I've been using wsb configs to script installs, or | better yet map to storage that's preloaded with software that | can be installed to an arbitrary location or is otherwise | portable. | | https://techcommunity.microsoft.com/t5/itops-talk-blog/custo... | jimbob45 wrote: | It's a great tool but it's becoming clear that this is another | IE6 in 2002 situation. That is, MS has a killer feature but | can't recognize that and will let it fester until a competitor | comes along in a decade. Real shame because even a small team | could add some desperately needed updates. | ape4 wrote: | Heavy prerequisites.... At least 4 GB of RAM (8 | GB recommended) At least 1 GB of free disk space (SSD | recommended) At least two CPU cores (four cores with | hyperthreading recommended) | andix wrote: | It's fine to keep using old hardware, but with lower specs than | that, windows 10/11 is completely unusable anyway. With such | specs you probably want to use some lightweight Linux | distribution, if you don't enjoy looking at the hourglass- | cursor most of your workday... | piperswe wrote: | I don't think any of those are a tall ask for powerusers in | 2023 | daveoc64 wrote: | Those are all at or below the Windows 11 System Requirements. | paxys wrote: | How is any of this heavy? Every entry level laptop or desktop | sold in the last 5 years (probably longer) will meet these | requirements. | dragonwriter wrote: | 1GB of free disk space is trivial, 2 CPU cores and 4GB is the | minimum requirement for Windows 11; so its hardly "heavy | requirements", its basically "a relatively recent PC". | | Recommended is a bit more onerous, but, 8GB and 4 | hyperthreading cores isn't a lot . I've got a two-year-old | midrange laptop (other than having a fairly nice dGPU for | something not marketed for gaming, but that's not really really | relevant here) and its got 16GB of RAM and 6HT cores. | fbdab103 wrote: | >its basically "a relatively recent PC". | | I would challenge recent. For a power user who would engage | in these features, that feels like at least baseline specs | from 10+ years ago. On a larf, I queried "dell 2012 laptop" | and came to this review for a Dell XPS 15[0]. Probably a more | performant laptop than the average user, but this thing has a | quad-core with 8GB ram. | | [0] https://www.laptopmag.com/reviews/laptops/dell- | xps-15-2012-r... | temp12192021 wrote: | With those pre-reqs, is there anything Windows Sandbox can do | that Sandboxie can't? | | https://github.com/sandboxie-plus/Sandboxie | gruez wrote: | Hypervisor isolation. Sandboxie works at the kernel level | which is a much larger attack surface. | gigel82 wrote: | It would be much more useful if you could save / restore | checkpoints. And because it gets wiped on every reboot it means | you can never test software that needs to restart the machine (to | install services and whatnot). | amluto wrote: | > Note, however, that as of Windows 11 Build 22509, your data | will persist through a restart initiated from inside the | virtualized environment--useful for installing applications | that require the OS to reboot. | revicon wrote: | They specially call out that files are retained during a reboot | of the sandbox to allow for the "restart required" condition | SeriousM wrote: | Windows sandbox combined with winget used in setup script has a | lot of usecases | discreditable wrote: | One of my favorite uses for this is creating .wsb files that | would launch a script and install zoom/WebEx/etc so I would not | have to install them on my PC. The video and audio worked just | well enough for me to get away with and it was easier to screen | share what I was doing within the container and avoid sharing | anything extra (ex: notifications). | thomasmarton wrote: | This is basically Microsoft's big chance to create Docker for | windows. Prebaked images on top of this lightweight layer and | shared folders which are already supported. | | I'd love to see this happen on environments where you need | Windows, but you still want the ease of deployment feature of | Docker | fbdab103 wrote: | This feels like an opportunity for Microsoft to start finally | cutting out legacy cruft. Guarantee a 100% pre-Windows 12 | seamless emulation layer. Once that is established, it becomes | more possible to port to ARM, RISC, or make foundational | breaking API changes that have been desired for decades. | Dwedit wrote: | Then watch as people reject the new APIs and continue to | develop for that emulation layer. | Dalewyn wrote: | Win32: "I have slain many a challenger; you won't be the | last." | naikrovek wrote: | yep, and they'll complain the entire time saying Microsoft | never does anything new. | | this has happened a couple times, really. | danjc wrote: | It's beyond an equivalent to a Docker container because it | includes kernel isolation. This is a security distinction that | isn't well understood. | vetinari wrote: | It is a different thing. | | They point of containers is that they do share the same | kernel, and that each container is just a different | namespace. | | If each entity has a different kernel, they are VMs. VMs can | be also pretty thin and have shared immutable store for their | base image, but they are not containers anymore. Similarly, | Xen DOM-Us are also VMs. | kritr wrote: | At least on Windows, Hyper-V isolated containers are also a | supported feature, which should also ensure kernel isolation. | I assume Kata containers or any other virtualization backed | solution would give you similar guarantees. | andix wrote: | Windows containers for docker exist for a long time already, | they are even compatible with k8s. And they are just a mess. | Windows is not really a suitable platform for containerized | apps. | | If you want a sandboxed App environment for windows, there are | the UWP/Store apps, which are also not that great. | | I have the feeling that Microsoft kind of gave up on windows | and is trying to move everything into the cloud and the | browser. | riffic wrote: | they should give up on windows too. | andix wrote: | I think that's what they are doing. Most new sever side | products they release have first class Linux support. And | most new desktop applications are web based. Also Edge is | supported on Linux. | pjmlp wrote: | Azure runs on Windows. | | https://techcommunity.microsoft.com/t5/windows-os- | platform-b... | andix wrote: | Those are probably hyper-v hosts. Yes it is Windows, but | it's mostly a virtualization platform for running VMs. | pjmlp wrote: | It doesn't matter, it is a Windows flavour still. | jonick wrote: | And Linux - every Azure blade has an embedded ARM SoC | running a hardened Linux with various daemons that | interface with both the Azure backend and the Windows | host, control offloading of network and storage | processing to the FPGA, and other tasks. | 908B64B197 wrote: | And give up their internal expertize with the stack? | riffic wrote: | Docker and containerization is something that already exists | for the Windows kernel though. | | https://learn.microsoft.com/en-us/virtualization/windowscont... | capableweb wrote: | Except Docker containers doesn't actually run on Windows as | they do on Linux (Linux containers that is, I don't know how | Windows containers does it). What Docker Desktop does is | creating a WSL VM for running your containers, which is | basically what everyone did before as well (on both macOS and | Windows), but with a easier setup. | kritr wrote: | Docker does support launching Windows containers both local | and Hyper-V backed. Windows has a feature called Silos | which allows linux style isolation. | n8cpdx wrote: | Windows Containers are a Windows-native container solution. | No Linux kernel need be involved. This lives alongside | Linux VM-based containers in Docker Desktop. Obviously you | can only run Windows-based images, which confuses people | that think Containers=linux. I think BSD has a similar | concept as well. https://wiki.freebsd.org/Docker | capableweb wrote: | Yeah, that's what I would have guessed. Fortunately | (unfortunately for some?), most containers are Linux- | based, both for deployment and development purposes. | paxys wrote: | Running Hyper-V under the hood I imagine? The description makes | it seem like this is targeted towards professional use cases (for | example excluding it from Windows Home editions), but I'd like to | see a future where every application installed on your computer | gets such a sandbox by default. | vodou wrote: | Windows Sandbox, together with WSL, have liberated me from | VirtualBox/VMware Workstation. So thankful for that. Now I only | wait for native USB support in WSL. | eidorb wrote: | This is useful on the USB support front: | https://learn.microsoft.com/en-us/windows/wsl/connect-usb | lhoff wrote: | In case you don't know about it, there is good workaround based | on USB over IP that is officially recommended by MS. | | I used it a while ago to flash a ESP32 and to connect a Zigbee | Adapter to a Linux container. Had no issues with it. | | https://learn.microsoft.com/en-us/windows/wsl/connect-usb | risho wrote: | It would be nice if there was a way to persist this. There are | instances where you want to have either a clean environment to | work in or you want to isolate something from your primary | machine but you also don't want it to just get destroyed when you | are done. Maybe this is a feature of this and I'm just not | understanding it properly. | jmkni wrote: | Isn't that just a virtual machine? | Dalewyn wrote: | In fairness, setting up and maintaining a virtual machine | might as well be too much upkeep for the common user. | | On the other hand, if a user knows what a "sandbox" is (no, | not the playground box of sand) they aren't a common user. | risho wrote: | This seems to run more seamlessly than a virtual machine. | Plus I think this supports hardware acceleration and stuff | natively. | kritr wrote: | It is a Hyper-V backed VA backed VM. It shared memory with | the host in the same fashion that WSL does, as opposed to | carving out physical memory. We have some additional | optimizations to make it snappier than running a full vm. | petra wrote: | It uses hardware-isolation which i think is more secure. | Operyl wrote: | That's what most VM Hypervisor technology already does. | asabla wrote: | For instances were I want to have a more persisted state I | would create a Sandbox file (with file extension .wsb) which | just runs a setup script when the environment starts. | | So basically what you would do with a provisioning script when | using VM's. | | You can find more about it here: | https://learn.microsoft.com/en-us/windows/security/threat-pr... | xuhu wrote: | As someone noted, running `restart` in the sandbox sounds like | it results in Windows preserving the sandbox. | JonathonW wrote: | The sandbox persists through a restart (to allow for the | installation of software that requires a reboot) but never | persists after Windows Sandbox is closed. | | That's the big distinction from Hyper-V or other | virtualization products; otherwise, it's just a Hyper-V VM | with a prebaked Windows image and fewer options. | monsieurbanana wrote: | That's not how I'd interpret it, it makes sense that if you | restart the sandbox from inside the sandbox it doesn't get | destroyed, but it doesn't seem to change anything else. If | you shutdown the sandbox from outside it would still be | destroyed. | kritr wrote: | It's enough to install software that needs restarts, but | not for use cases where you need the sandbox across host | reboots. | naikrovek wrote: | the entire point is that it doesn't persist. you don't have to | clean it up. | | if you want something to persist, you have Hyper-V. | zrg wrote: | This has been a feature since windows 10 | | https://www.howtogeek.com/399290/how-to-use-windows-10s-new-... | majkinetor wrote: | In Windows 11 you can restart it without losing data, though, | which is nice, since its so fast that it starts almost | instantly. Because of that speed, I test all the funky software | in it first, and some I run in it exclusivelly as you can | create "run in Windows Sandbox" fairly easyly and customize | what runs on startup via pwsh script. | | I would love the option for it to survive the closure though, | that would open entire new world of possibilities. It doesn't | have to compete with full HyperV setup if you open just a few | more options. | smileybarry wrote: | Yeah, I don't 100% trust the new CurseForge app for updating | World of Warcraft addons, but it's kind of necessary when you | have 10+ addons. But with some poking and a Windows Sandbox | configuration file, I can just launch it in a sandbox now and | mount the addons directory, update/install, and wipe the | sandbox. | | It's a neat Sandboxie replacement once you start playing with | mounts and startup scripts. | Dwedit wrote: | Not for Home edition though. | | You can still use a program like Sandboxie to try to sandbox an | application. ___________________________________________________________________ (page generated 2023-04-02 23:00 UTC)