Hopefully you've already thought this through and you left out all of the copious complex security details of the sandboxing out of this announcement.
But just in case you haven't:
- containers don't provide the best sandboxing on their own
- if I get sufficient privilege in your container, I can read/write directly to the device nodes inside the container to impact the host
- you should also fear cryptocurrency miners burning your cycles
But, kudos to you -- this looks like a really neat feature. A quick skim of your homepage seems to suggest that sandboxing should be core to your product's success, so I'll just hope for the best. :)
Surely there is more to it than just running the code in a Docker container, right?
> Our platform uses Docker images to run the code, so you can use code snippets in virtually any technology. A lot of contributors have already made the most of our technology and have crafted playgrounds of impressive quality.
Emphasis added by me.