-
Moby
The Moby Project - a collaborative project for the container ecosystem to assemble container-based systems
Docker by default also applies a seccomp system call whitelist per [1] and restricts capabilities per [2], amongst numerous other default hardening practices that are applied. If a Docker container really had a need to call the "reboot" system call, this permission could be explicitly added.
More complex sandboxing techniques include opening handles for sockets, pipes, files, etc and then hardening seccomp filters on top to prevent any new handles being opened. In this way, some containers can read/write defined files on a volume without having any ability to otherwise interact with file systems such as opening new files (all file system related system calls could be disabled).
[1] https://github.com/moby/moby/blob/master/profiles/seccomp/de...
[2] https://docs.docker.com/engine/security/#linux-kernel-capabi...
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
-
Lots of examples without the entire OS as other comments mention, an example would be Googles distroless[0]
[0]: https://github.com/GoogleContainerTools/distroless
-
-
unikraft
A next-generation cloud native kernel designed to unlock best-in-class performance, security primitives and efficiency savings.
unikernel is not the same microkernel.
I've found these after some quick googling:
https://unikraft.org/
-
-