Hacker News new | comments | show | ask | jobs | submit login

No, it isn't. It's like curl bashing in a chroot jail.

(Unless you explicitly expose ports or mount volumes or grant elevated kernel permissions.)

I can't think of safer way of running someone else's code, can you?




qemu


Yep. Even full virtualization isn't truly sandboxed, but the sandbox is much tighter.

FreeBSD has jails and Solaris has zones, both of which were designed to be safe sandboxes for OS-level virtualization or "containerization" as it's called today. The consensus, as far as I can tell, is that these are pretty safe/strict, at least as far as "provide a safe environment to execute untrusted code" goes.

On Linux, resource control mechanisms like cgroups and namespaces have been co-opted to simulate secure sandboxes, but it's not the same as actually providing them.


FWIW, AWS Fargate -- which uses Docker containers as the unit of virtualization -- is now HIPAA compliant.

I can't speak with authority on Docker security, but that's a data point, from the largest cloud provider in the world.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: