Making Containers More Isolated: An Overview of Sandboxed Container Technologies

Currently available container-based infrastructure has limitations because containers are not truly sandboxed and share the host OS kernel. The root of the problem is the weak separation between containers when the host OS creates a virtualized userland for each container. This blog covers four unique projects from IBM, Google, Amazon, and OpenStack, respectively, that use different techniques to achieve the same goal, creating stronger isolation for containers. The overview in this blog of state of the art research should help readers prepare for the upcoming transformation.