Sandboxed-Container is an alternative to the Docker runtime. Sandboxed-Container allows you to run applications in a sandboxed and lightweight virtual machine that has a dedicated kernel. This enhances resource isolation and improves security.
Sandboxed-Container is suitable in scenarios such as untrusted application isolation, fault isolation, performance isolation, and load isolation among multiple users. Sandboxed-Container provides enhanced security, has minor impacts on application performance, and offers the same user experience as Docker in terms of logging, monitoring, and elastic scaling.
Architecture
Features
Sandboxed-Container is container-securing runtime that is developed by Alibaba Cloud based on sandboxed and lightweight virtual machines. Compared with Sandboxed-Container V1, Sandboxed-Container V2 maintains the same isolation performance and reduces the pod overhead by 90%. It also allows you to start sandboxed containers 3 times faster and increases the maximum number of pods that can be deployed on a host by 10 times. Sandboxed-Container V2 provides the following key features:
Strong isolation based on sandboxed and lightweight virtual machines.
Compatibility with runC in terms of application management.
High performance that corresponds to 90% the performance of applications based on runC.
File Storage NAS (NAS) file systems, Alibaba Cloud disks, and OSS buckets can be mounted to sandboxed containers through virtio-fs. NAS file systems can also be directly mounted to sandboxed containers.
The same user experience as runC in terms of logging, monitoring, and storage.
Support for RuntimeClass (runC and runV). For more information, see RuntimeClass.
Ease of use with minimum technical skill requirements.
Higher stability compared with the open source Kata Containers runtime. For more information about Kata Containers, see Kata Containers.