Sandboxed-Container is an alternative to the Docker runtime. Sandboxed-Container allows you to run applications in a sandboxed and lightweight virtual machine that has a dedicated kernel. This enhances resource isolation and improves security.

Sandboxed-Container is suitable in scenarios such as untrusted application isolation, fault isolation, performance isolation, and load isolation among multiple users. Sandboxed-Container provides enhanced security, has minor impacts on application performance, and offers the same user experience as Docker in terms of logging, monitoring, and elastic scaling.

Architecture of Sandboxed-Container

Architecture

Architecture

Feature

Sandboxed-Container is container-securing runtime that is developed by Alibaba Cloud based on sandboxed and lightweight virtual machines. Compared with Sandboxed-Container V1, Sandboxed-Container V2 maintains the same isolation performance and reduces the pod overhead by 90%. It also allows you to start sandboxed containers 3 times faster and increases the maximum number of pods that can be deployed on a host by 10 times. Sandboxed-Container V2 provides the following key features:
  • Strong isolation based on sandboxed and lightweight virtual machines.
  • Compatibility with runC in terms of application management.
  • High performance that corresponds to 90% the performance of applications based on runC.
  • Apsara File Storage NAS (NAS) file systems, Alibaba Cloud disks, and OSS buckets can be mounted to sandboxed containers through virtio-fs. NAS file systems can also be directly mounted to sandboxed containers.
  • The same user experience as runC in terms of logging, monitoring, and storage.
  • Supports RuntimeClass (runC and runV). For more information, see RuntimeClass.
  • Ease of use with minimum technical skill requirements.
  • Higher stability compared with the open source Kata Containers runtime. For more information about Kata Containers, see Kata Containers.