Are docker containers safe enough to run third-party untrusted containers side-by-side with production system?
Question
We plan to allow execution of third-party micro-services code on our infrastructure interacting with our api. Is dockerizing safe enough? Are there solutions for tracking resources(network, ram,cpu)container consumes?
2 answers
solution1
2 2017-07-10 04:55:05
You can install portainer.io (see its demo , password tryportainer )
But to truly isolate those third-party micro-services, you could run them in their own VM defined on your infrastructure. That VM would run a docker daemon and services. As long as the VM has access to the API, those micro-services containers will do fine, and won't lead/have access to anything directly from the infrastructure.
You need to define/size your VM correctly to allocate enough resources for the containers to run, each one assuring their own resource isolation .
solution2
2 2017-07-10 07:19:32
Docker (17.03) is a great tool to secure isolate processes. It uses Kernel namespaces , Control groups and some kernel capabilities in order to isolate processes that run in different containers.
But, those processes are not 100% isolated from each other because they use the same kernel resources. Every dockerize process that make an IO call will leave for that period of time its isolated environment and will enter a shared environment, the kernel. Although you can set limits per container, like how much processor or how much RAM it may use you cannot set limits on all kernel resources.
You can read this article for more information.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.