Containers and secure computing mode (seccomp) are lighter weight alternatives to virtual machines (VMs) that provide security isolation. At Figma, we use both containers and seccomp to achieve security isolation. Container isolation happens at the operating system level and relies on features like namespaces, cgroups, and privilege dropping. Seccomp restricts the system calls a program can make. We evaluate container isolation based on whether a malicious job can break out of the container or use the container’s permissions to cause harm. Configuration and orchestration are challenges when using containers and seccomp, and maintenance and operational overhead should be considered. At Figma, we use nsjail for container-level security isolation and have explored a seccomp-only approach for certain use cases.
https://www.figma.com/blog/server-side-sandboxing-containers-and-seccomp/#j1WRe