Comment by ushakov
9 hours ago
both Docker and bubblewrap are not secure sandboxes. the only way to have actually isolated sandboxes is by using VMs
disclaimer: i work on secure sandboxes at E2B
9 hours ago
both Docker and bubblewrap are not secure sandboxes. the only way to have actually isolated sandboxes is by using VMs
disclaimer: i work on secure sandboxes at E2B
What about cgroups? I know they are not exactly analogous, but to me that seems like a pretty decent solution.
No disagreement from me. From the article:
> Bubblewrap and Docker are not hardened security isolation mechanisms, but that's okay with me.
Edit to add: my understanding is the major flaw in this approach is potential bugs in Linux kernel that would allow sandbox escape. Would appreciate your insight if there are some easier/more probable attack vectors.
Do you have more information on how to set up such VMs?
for personal use, many ways: Vargant, Docker Sandbox, NixOS VMs, Lima, OrbStack.
if you want multi-tenant: E2B (open-source, self-hosted)
Hashicorp has mostly abandoned Vagrant, so I'd avoid it.