-
-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate Ways to Security-Harden the Docker Container #107
Comments
Re: gVisor. The limitations for gVisor means that we would likely have to subject the entire snekbox deployment to gVisor filters, since the Kubernetes guide[1] is for placing entire pods into the gVisor realm. As of now, they only provide instructions for running with I'll keep my eyes peeled on this area though. [1] https://gvisor.dev/docs/user_guide/quick_start/kubernetes/ |
https://github.com/python-discord/snekbox-deploy has scripts to deploy Snekbox onto a Debian VM. It was originally created because we thought that #126 could only be fixed by using |
While Docker's defaults are supposedly pretty good, maybe we could do better. Specific areas of focus are likely seccomp and capabilities. @Akarys42 borugh up a whitepaper, which, while relatively old, may still offer some insights.
gvisor also sounds great, but it's unclear whether it implements the kernel features necessary for nsjail to work. Furthermore, even if it could, our deployment environment currently doesn't support it. According to @jb3, it specifically needs support for
containerd
.The biggest pain point is that snekbox needs to create parent cgroups for nsjail and therefore requires running the container in privileged mode. I've investigated ways to avoid this in the past, but was unsuccessful in finding any alternatives.
The text was updated successfully, but these errors were encountered: