���[���}�K�W���̂��m�点
// === BYOB PATH ===
,这一点在91视频中也有详细论述
await blocking.writer.write(chunk3); // waits until consumer reads
Container egress filtering uses nftables rules inside the container. A root process with cap_net_admin could bypass these rules. The pixel user has restricted sudo that only permits safe-apt, dpkg-query, systemctl, journalctl, and nft list.