[HN Gopher] Windows Sandbox
___________________________________________________________________
Windows Sandbox
Author : spansoa
Score : 109 points
Date : 2023-04-02 18:27 UTC (4 hours ago)
(HTM) web link (learn.microsoft.com)
(TXT) w3m dump (learn.microsoft.com)
| doubleorseven wrote:
| It's a great tool. We've been using it as a windows replacment
| for Linux live. I have 2 wishes from this feature. 1. Use more
| than one screen. 2. Have the ability to extend the dockerfile so
| i can preinstall software.
| nabilhat wrote:
| For (2.) I've been using wsb configs to script installs, or
| better yet map to storage that's preloaded with software that
| can be installed to an arbitrary location or is otherwise
| portable.
|
| https://techcommunity.microsoft.com/t5/itops-talk-blog/custo...
| jimbob45 wrote:
| It's a great tool but it's becoming clear that this is another
| IE6 in 2002 situation. That is, MS has a killer feature but
| can't recognize that and will let it fester until a competitor
| comes along in a decade. Real shame because even a small team
| could add some desperately needed updates.
| ape4 wrote:
| Heavy prerequisites.... At least 4 GB of RAM (8
| GB recommended) At least 1 GB of free disk space (SSD
| recommended) At least two CPU cores (four cores with
| hyperthreading recommended)
| andix wrote:
| It's fine to keep using old hardware, but with lower specs than
| that, windows 10/11 is completely unusable anyway. With such
| specs you probably want to use some lightweight Linux
| distribution, if you don't enjoy looking at the hourglass-
| cursor most of your workday...
| piperswe wrote:
| I don't think any of those are a tall ask for powerusers in
| 2023
| daveoc64 wrote:
| Those are all at or below the Windows 11 System Requirements.
| paxys wrote:
| How is any of this heavy? Every entry level laptop or desktop
| sold in the last 5 years (probably longer) will meet these
| requirements.
| dragonwriter wrote:
| 1GB of free disk space is trivial, 2 CPU cores and 4GB is the
| minimum requirement for Windows 11; so its hardly "heavy
| requirements", its basically "a relatively recent PC".
|
| Recommended is a bit more onerous, but, 8GB and 4
| hyperthreading cores isn't a lot . I've got a two-year-old
| midrange laptop (other than having a fairly nice dGPU for
| something not marketed for gaming, but that's not really really
| relevant here) and its got 16GB of RAM and 6HT cores.
| fbdab103 wrote:
| >its basically "a relatively recent PC".
|
| I would challenge recent. For a power user who would engage
| in these features, that feels like at least baseline specs
| from 10+ years ago. On a larf, I queried "dell 2012 laptop"
| and came to this review for a Dell XPS 15[0]. Probably a more
| performant laptop than the average user, but this thing has a
| quad-core with 8GB ram.
|
| [0] https://www.laptopmag.com/reviews/laptops/dell-
| xps-15-2012-r...
| temp12192021 wrote:
| With those pre-reqs, is there anything Windows Sandbox can do
| that Sandboxie can't?
|
| https://github.com/sandboxie-plus/Sandboxie
| gruez wrote:
| Hypervisor isolation. Sandboxie works at the kernel level
| which is a much larger attack surface.
| gigel82 wrote:
| It would be much more useful if you could save / restore
| checkpoints. And because it gets wiped on every reboot it means
| you can never test software that needs to restart the machine (to
| install services and whatnot).
| amluto wrote:
| > Note, however, that as of Windows 11 Build 22509, your data
| will persist through a restart initiated from inside the
| virtualized environment--useful for installing applications
| that require the OS to reboot.
| revicon wrote:
| They specially call out that files are retained during a reboot
| of the sandbox to allow for the "restart required" condition
| SeriousM wrote:
| Windows sandbox combined with winget used in setup script has a
| lot of usecases
| discreditable wrote:
| One of my favorite uses for this is creating .wsb files that
| would launch a script and install zoom/WebEx/etc so I would not
| have to install them on my PC. The video and audio worked just
| well enough for me to get away with and it was easier to screen
| share what I was doing within the container and avoid sharing
| anything extra (ex: notifications).
| thomasmarton wrote:
| This is basically Microsoft's big chance to create Docker for
| windows. Prebaked images on top of this lightweight layer and
| shared folders which are already supported.
|
| I'd love to see this happen on environments where you need
| Windows, but you still want the ease of deployment feature of
| Docker
| fbdab103 wrote:
| This feels like an opportunity for Microsoft to start finally
| cutting out legacy cruft. Guarantee a 100% pre-Windows 12
| seamless emulation layer. Once that is established, it becomes
| more possible to port to ARM, RISC, or make foundational
| breaking API changes that have been desired for decades.
| Dwedit wrote:
| Then watch as people reject the new APIs and continue to
| develop for that emulation layer.
| Dalewyn wrote:
| Win32: "I have slain many a challenger; you won't be the
| last."
| naikrovek wrote:
| yep, and they'll complain the entire time saying Microsoft
| never does anything new.
|
| this has happened a couple times, really.
| danjc wrote:
| It's beyond an equivalent to a Docker container because it
| includes kernel isolation. This is a security distinction that
| isn't well understood.
| vetinari wrote:
| It is a different thing.
|
| They point of containers is that they do share the same
| kernel, and that each container is just a different
| namespace.
|
| If each entity has a different kernel, they are VMs. VMs can
| be also pretty thin and have shared immutable store for their
| base image, but they are not containers anymore. Similarly,
| Xen DOM-Us are also VMs.
| kritr wrote:
| At least on Windows, Hyper-V isolated containers are also a
| supported feature, which should also ensure kernel isolation.
| I assume Kata containers or any other virtualization backed
| solution would give you similar guarantees.
| andix wrote:
| Windows containers for docker exist for a long time already,
| they are even compatible with k8s. And they are just a mess.
| Windows is not really a suitable platform for containerized
| apps.
|
| If you want a sandboxed App environment for windows, there are
| the UWP/Store apps, which are also not that great.
|
| I have the feeling that Microsoft kind of gave up on windows
| and is trying to move everything into the cloud and the
| browser.
| riffic wrote:
| they should give up on windows too.
| andix wrote:
| I think that's what they are doing. Most new sever side
| products they release have first class Linux support. And
| most new desktop applications are web based. Also Edge is
| supported on Linux.
| pjmlp wrote:
| Azure runs on Windows.
|
| https://techcommunity.microsoft.com/t5/windows-os-
| platform-b...
| andix wrote:
| Those are probably hyper-v hosts. Yes it is Windows, but
| it's mostly a virtualization platform for running VMs.
| pjmlp wrote:
| It doesn't matter, it is a Windows flavour still.
| jonick wrote:
| And Linux - every Azure blade has an embedded ARM SoC
| running a hardened Linux with various daemons that
| interface with both the Azure backend and the Windows
| host, control offloading of network and storage
| processing to the FPGA, and other tasks.
| 908B64B197 wrote:
| And give up their internal expertize with the stack?
| riffic wrote:
| Docker and containerization is something that already exists
| for the Windows kernel though.
|
| https://learn.microsoft.com/en-us/virtualization/windowscont...
| capableweb wrote:
| Except Docker containers doesn't actually run on Windows as
| they do on Linux (Linux containers that is, I don't know how
| Windows containers does it). What Docker Desktop does is
| creating a WSL VM for running your containers, which is
| basically what everyone did before as well (on both macOS and
| Windows), but with a easier setup.
| kritr wrote:
| Docker does support launching Windows containers both local
| and Hyper-V backed. Windows has a feature called Silos
| which allows linux style isolation.
| n8cpdx wrote:
| Windows Containers are a Windows-native container solution.
| No Linux kernel need be involved. This lives alongside
| Linux VM-based containers in Docker Desktop. Obviously you
| can only run Windows-based images, which confuses people
| that think Containers=linux. I think BSD has a similar
| concept as well. https://wiki.freebsd.org/Docker
| capableweb wrote:
| Yeah, that's what I would have guessed. Fortunately
| (unfortunately for some?), most containers are Linux-
| based, both for deployment and development purposes.
| paxys wrote:
| Running Hyper-V under the hood I imagine? The description makes
| it seem like this is targeted towards professional use cases (for
| example excluding it from Windows Home editions), but I'd like to
| see a future where every application installed on your computer
| gets such a sandbox by default.
| vodou wrote:
| Windows Sandbox, together with WSL, have liberated me from
| VirtualBox/VMware Workstation. So thankful for that. Now I only
| wait for native USB support in WSL.
| eidorb wrote:
| This is useful on the USB support front:
| https://learn.microsoft.com/en-us/windows/wsl/connect-usb
| lhoff wrote:
| In case you don't know about it, there is good workaround based
| on USB over IP that is officially recommended by MS.
|
| I used it a while ago to flash a ESP32 and to connect a Zigbee
| Adapter to a Linux container. Had no issues with it.
|
| https://learn.microsoft.com/en-us/windows/wsl/connect-usb
| risho wrote:
| It would be nice if there was a way to persist this. There are
| instances where you want to have either a clean environment to
| work in or you want to isolate something from your primary
| machine but you also don't want it to just get destroyed when you
| are done. Maybe this is a feature of this and I'm just not
| understanding it properly.
| jmkni wrote:
| Isn't that just a virtual machine?
| Dalewyn wrote:
| In fairness, setting up and maintaining a virtual machine
| might as well be too much upkeep for the common user.
|
| On the other hand, if a user knows what a "sandbox" is (no,
| not the playground box of sand) they aren't a common user.
| risho wrote:
| This seems to run more seamlessly than a virtual machine.
| Plus I think this supports hardware acceleration and stuff
| natively.
| kritr wrote:
| It is a Hyper-V backed VA backed VM. It shared memory with
| the host in the same fashion that WSL does, as opposed to
| carving out physical memory. We have some additional
| optimizations to make it snappier than running a full vm.
| petra wrote:
| It uses hardware-isolation which i think is more secure.
| Operyl wrote:
| That's what most VM Hypervisor technology already does.
| asabla wrote:
| For instances were I want to have a more persisted state I
| would create a Sandbox file (with file extension .wsb) which
| just runs a setup script when the environment starts.
|
| So basically what you would do with a provisioning script when
| using VM's.
|
| You can find more about it here:
| https://learn.microsoft.com/en-us/windows/security/threat-pr...
| xuhu wrote:
| As someone noted, running `restart` in the sandbox sounds like
| it results in Windows preserving the sandbox.
| JonathonW wrote:
| The sandbox persists through a restart (to allow for the
| installation of software that requires a reboot) but never
| persists after Windows Sandbox is closed.
|
| That's the big distinction from Hyper-V or other
| virtualization products; otherwise, it's just a Hyper-V VM
| with a prebaked Windows image and fewer options.
| monsieurbanana wrote:
| That's not how I'd interpret it, it makes sense that if you
| restart the sandbox from inside the sandbox it doesn't get
| destroyed, but it doesn't seem to change anything else. If
| you shutdown the sandbox from outside it would still be
| destroyed.
| kritr wrote:
| It's enough to install software that needs restarts, but
| not for use cases where you need the sandbox across host
| reboots.
| naikrovek wrote:
| the entire point is that it doesn't persist. you don't have to
| clean it up.
|
| if you want something to persist, you have Hyper-V.
| zrg wrote:
| This has been a feature since windows 10
|
| https://www.howtogeek.com/399290/how-to-use-windows-10s-new-...
| majkinetor wrote:
| In Windows 11 you can restart it without losing data, though,
| which is nice, since its so fast that it starts almost
| instantly. Because of that speed, I test all the funky software
| in it first, and some I run in it exclusivelly as you can
| create "run in Windows Sandbox" fairly easyly and customize
| what runs on startup via pwsh script.
|
| I would love the option for it to survive the closure though,
| that would open entire new world of possibilities. It doesn't
| have to compete with full HyperV setup if you open just a few
| more options.
| smileybarry wrote:
| Yeah, I don't 100% trust the new CurseForge app for updating
| World of Warcraft addons, but it's kind of necessary when you
| have 10+ addons. But with some poking and a Windows Sandbox
| configuration file, I can just launch it in a sandbox now and
| mount the addons directory, update/install, and wipe the
| sandbox.
|
| It's a neat Sandboxie replacement once you start playing with
| mounts and startup scripts.
| Dwedit wrote:
| Not for Home edition though.
|
| You can still use a program like Sandboxie to try to sandbox an
| application.
___________________________________________________________________
(page generated 2023-04-02 23:00 UTC)