Can kata containers be used as a sandbox to run untrusted code?
Question
Kata containers is trying to make containers secure by providing more isolation.
lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
If I am building a playground/code fiddle (something like ideone ), are they secure enough to compile and run untrusted code?
Is this a good/intended use for this type of containers?
2 answers
solution1
2 ACCPTED 2019-04-11 01:00:14
Any type of workload can potentially be used by Kata Containers , just like regular containers. The idea behind them is providing the VM isolation that you don't get with regular containers. You can use Kata Container with Docker and Kubernetes .
You can achieve a decent level of isolation with regular containers using things like seccomp , SELinux , Capabilities , and/or AppArmor but it can get quite complicated. Kata Containers offers a simpler alternative to that.
solution2
1 2019-04-25 09:36:28
It can be used but it's not the safest method.
I guess gVisor would be a better option to be used as a sandbox.
In Container Technology , the Host Operating System can be accessed from inside a container and it's not immune to outsiders' harmful manipulations.
Same thing is true for Virtual Machines and Hypervisors or Host Operating Systems. So it's safe to assume that same issues might be true for Kata Containers and the underlying Hypervisor.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.