11Ara
Docker as a sandbox for untrusted code
I have created a web application that among other things allows users to write, compile and execute code (Java, C#). The application creates a Docker container for every user where compilation and code execution takes place. I have taken the following measures to secure the container:
- This container has no persistent or shared data.
- It does not have access to the docker API (which is secured with TLS).
- There is no information within the container the user shouldn't know about.
- The user will not be aware that the compiler is within a container.
Can I consider this container safe to run untrusted code in? Are there any known ways to affect the host machine from within the container in a configuration like this?