0

I have a VM running Googles Container Optimised OS, and I want to allow running code that users provide - each user has their own container.

This code can be malicious - I want to limit the scope of the code to just its own container.

https://cloud.google.com/container-optimized-os/docs/concepts/security

Questions

A. Does the OS add enough protections for containers to be used as a sandbox? The documentation mentions that there is added security, but it does not mention anything about how effective it is at containing malicious code within a container.

B. Can docker volumes be used to limit the file system scope of the code running in a container? I want to use the CLI provided docker volume to give each user a folder on disk they can write to, but I want to prevent users reading each others data.

Any help much appreciated, Thanks.

zino
  • 1,222
  • 2
  • 17
  • 47
  • In general the exploits I've read up on have been pretty clever, and get into pretty low-level details. I wouldn't expect any off-the-shelf solution short of full virtualization to sufficiently protect the host OS; and even then there have been hypervisor bugs, and things like cryptocurrency miners would probably count as "malicious" but wouldn't actively trip any security controls (they're "just" using compute cycles and making occasional outbound network connections). – David Maze Jun 02 '20 at 14:04
  • So is there no completely secure way of running user supplied code? – zino Jun 03 '20 at 22:36

0 Answers0