Hacker News new | ask | show | jobs
by simonw 137 days ago
Every time I use Docker as a sandbox people warn me to watch out for "container escapes".

I trust Firecracker more because it was built by AWS specifically to sandbox Lambdas, but it doesn't work on macOS and is pretty fiddly to run on Linux.
2 comments
its-summertime 136 days ago
Outside of VM usage, the answer seems to be (on top of containerization and selinux) writing a tight seccomp filter.

Gleaned from https://github.com/containers/bubblewrap/blob/0c408e156b12dd... and https://github.com/containers/bubblewrap/tree/0c408e156b12dd...

link
OutOfHere 137 days ago
I think ChatGPT can do a much better job than I can for guiding how to safely use Docker as a sandbox: /share/69875282-1e38-8012-b627-7c0a678f9365

It's not industrial-grade safety for public use, but it'll do for personal use. Other tools for it are also mentioned.

link