Docker is good when combined with gVisor runtime for better isolation.
What is gVisor?gVisor is an application kernel, written in memory safe Golang, that emulates most system calls and massively reduces the attack surface of the kernel. This is important since the host and guest share the same kernel, and Docker runs rootful. Root inside a Docker container is the same as root on the host, as long as a sandbox escape is used. This could arise if a container image requires unsafe permissions like Docker socket access. gVisor protects against privilege escalation by only using root at the start and never handing root over to the guest.
=> More informations about this toot | View the thread | More toots from Neptr@lemmy.blahaj.zone
=> View foremanguy92_@lemmy.ml profile
text/geminiThis content has been proxied by September (ba2dc).