Our great sponsors
-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
unikraft
A next-generation cloud native kernel designed to unlock best-in-class performance, security primitives and efficiency savings.
-
-
Docker by default also applies a seccomp system call whitelist per [1] and restricts capabilities per [2], amongst numerous other default hardening practices that are applied. If a Docker container really had a need to call the "reboot" system call, this permission could be explicitly added.
More complex sandboxing techniques include opening handles for sockets, pipes, files, etc and then hardening seccomp filters on top to prevent any new handles being opened. In this way, some containers can read/write defined files on a volume without having any ability to otherwise interact with file systems such as opening new files (all file system related system calls could be disabled).
[1] https://github.com/moby/moby/blob/master/profiles/seccomp/de...
[2] https://docs.docker.com/engine/security/#linux-kernel-capabi...
Lots of examples without the entire OS as other comments mention, an example would be Googles distroless[0]
[0]: https://github.com/GoogleContainerTools/distroless
unikernel is not the same microkernel.
I've found these after some quick googling:
https://unikraft.org/
Related posts
- Building a unikernel that runs WebAssembly – part 1
- Kolibri OS: fits on a floppy disk, programmed using interrupts
- Mirage – A programming framework for building type-safe, modular systems
- A kernel designed to run only one application in a virtualized environment
- Applications available in unikernels?