Docker Container Sandbox

Typically, Docker that is like normally container model has a problem that the container is sharing with host kernel.
The cracker can conquer the host system by privilege escalating.
The privilege escalating is prevented by SELinux or container policies, but it’s not perfect.
So we need to boxing the containers.

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface.
It includes an Open Container Initiative (OCI) runtime called runsc that provides an isolation boundary between the application and the host kernel.
The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.

Kata Containers is an open source container runtime, building lightweight virtual machines that seamlessly plug into the containers ecosystem.