Open sr229 opened 4 years ago
Thank @sr229 for the feedback.
We currently forces non-root container for security reason. See https://engineering.bitnami.com/articles/running-non-root-containers-on-openshift.html. We'd like to allow root container if they can give the same level of security. Unfortunately, we had to choose only one between security and allowing root container, in today's technology. And we think providing enterprise level of security for user benefits more.
Please share us if you have a great solution for this!
I think Kata containers as a isolation solution would have done the job of what Dedicated would be doing since it should allow root access to a container but completely isolates the damage on that specific container only IMO, this would allow fine grained resource constraints the same as gVisor-bavked containers does as well.
We researched Kata container a little bit and it looks promising. However there're few things that make it difficult to adopt it right now. We'll continue to evaluate this and more technologies to remove non-root container restrictions.
Thank @sr229 for the suggestion!
Another thing to note is Kata Containers has a AWS Firecracker backend you can use (which is used at AWS in production) - so Kata Containers has been production-proven.
Apparently sandboxed containers do not grant
sudo
, which is required from Containers like Cloud9 and VSCode. I, as a developer, would expect these stacks to just work outside the box like a real machine, and apparently the gVisor containers don't allow such.