Investigate Ways to Security-Harden the Docker Container

[MarkKoz]

While Docker's defaults are supposedly pretty good, maybe we could do better. Specific areas of focus are likely seccomp and capabilities. @Akarys42 borugh up a whitepaper, which, while relatively old, may still offer some insights.

gvisor also sounds great, but it's unclear whether it implements the kernel features necessary for nsjail to work. Furthermore, even if it could, our deployment environment currently doesn't support it. According to @jb3, it specifically needs support for containerd.

The biggest pain point is that snekbox needs to create parent cgroups for nsjail and therefore requires running the container in privileged mode. I've investigated ways to avoid this in the past, but was unsuccessful in finding any alternatives.

[jb3]

Re: gVisor.

The limitations for gVisor means that we would likely have to subject the entire snekbox deployment to gVisor filters, since the Kubernetes guide[1] is for placing entire pods into the gVisor realm.

As of now, they only provide instructions for running with containerd, and even then it's unclear whether this would be compatible with the managed Kubernetes instances hosted by Linode (as of now it's unclear whether Linode will switch to containerd or CRI-O for subsequent Kubernetes versions, and even if it is the former then switching to the gVisor shim probably won't be possible.)

I'll keep my eyes peeled on this area though.

[1] https://gvisor.dev/docs/user_guide/quick_start/kubernetes/

[MarkKoz]

https://github.com/python-discord/snekbox-deploy has scripts to deploy Snekbox onto a Debian VM. It was originally created because we thought that #126 could only be fixed by using --cgroupns host, which is not configurable on our managed k8s cluster. While a proper fix has been found for that issue, there may still be merit to using this scripts to move away from k8s. It could let us finally use gVisor.