Chapter 8. Strengthening Container Isolation

Back in Chapters 3 and 4, you saw how containers create some separation between workloads even though they are running on the same host. In this chapter, you’ll learn about some more advanced tools and techniques that can be used to strengthen the isolation between workloads.

Suppose you have two workloads and you don’t want them to be able to interfere with each other. One approach is to isolate them so that they are unaware of each other, which at a high level is really what containers and virtual machines are doing. Another approach is to limit the actions those workloads can take so that even if one workload is somehow aware of the other, it is unable to take actions to affect that workload. Isolating an application so that it has limited access to resources is known as sandboxing.

When you run an application as a container, the container acts as a convenient object for sandboxing. Every time you start a container, you know what application code is supposed to be running inside that container. If the application were to be compromised, the attacker might try to run code that is outside that application’s normal behavior. By using sandboxing mechanisms, we can limit what that code can do, restricting the attacker’s ability to affect the system. The first mechanism we’ll consider is seccomp.