Best container runtime for process isolation / security?

Question

I'm currently considering a project where containers could be used to quickly spin up resources. Trick is, one user would "own" one container, meaning that isolation between containers and isolation between the host/container is important.Most runtimes I've looked at, don't really offer anything in terms of security isolation, and also don't make a lot of guarantees. Seems I'll end up using VMs so I can get proper isolation.But maybe I've missed something, and you people here know any good solution for this.Point is to have fast startup time of the container/VM and also good isolation between the containers/VMs themselves, and between the container/host.This is all supposed to run on self-hosted infrastructure and without Kubernetes et all, so Lambda and all "container-as-a-service" things are N/A

gtirloni · Accepted Answer

Looks like you want this: https://firecracker-microvm.github.io/

kasey_junk · Answer

I&rsquo;m not making a claim about its quality but gvisor is another isolation focused runtime https://github.com/google/gvisor

helixc · Answer

Exactly what I'm looking for. Waiting for more insights.

yamellasmallela · Answer

firecracker is probably what you need that literally runs lambdagvisor is also good for pure container runtimes

Best container runtime for process isolation / security?

Looks like you want this: https://firecracker-microvm.github.io/

I’m not making a claim about its quality but gvisor is another isolation focused runtime https://github.com/google/gvisor

Exactly what I'm looking for. Waiting for more insights.

firecracker is probably what you need that literally runs lambda
gvisor is also good for pure container runtimes