It has been a really long time since I last wrote something here as life happens, things get busier, etc etc. I am now trying to get back into writing things down and here we go!
So, imagine a tool or a service that allows you to run some arbitrary code via a shell. Either through a ssh or more commonly, via a web terminal. How does these tools isolate your code from other people’s code and vice versa ? How come you cannot see other people code or processes ?
The first thing you probably be thinking, in 2025, is “Docker”. Each console must be running in their own container, right ? Very likely that you are right. That’s what I’d think too.
But, if these containers are all sharing the same operating system kernel, is that always sufficient, especially for untrusted code.
Let’s briefly revisit how standard Docker containers operate and interact with the host system.
(Image from Understanding Docker Architecutre)
When you run a container (let’s say ubuntu ) without any modifications or changes on a Linux host, it shares the same Kernel as the host OS.
From inside the container, we are not be able to see the outside processes (and other resources) because of Linux namespaces.
How about the other way around ? Without any flags or anything, typically, the host can see the processes inside the container because they are all sharing the same Kernel/OS and not inherently considered a security risk from the host’s perspective.
In the below image, notice that the sleep infinity process (PID 576337 in this Host OS) is directly visible on the host. This is the same process we initiated from inside the container, now seen from the host’s perspective
... continue reading