We think of these as deployment abstractions that provide no security value. This is why services like Amazon’s ECS Fargate pair 1 task definition (usually a single container) to a single EC2 host for isolation.
AWS employee here! The relationship is actually one task per EC2 _instance_ (VM isolation), not one task per host. I'm sure you meant the former, but just wanted to clarify for readers.
Something I've been wondering for a while (and you may be placed to answer): is firecracker part of the isolation story for Fargate - or is it regular EC2 instances?
Hi, I'm from the core compute engineering part of AWS.
Like most good stories, there's a beginning, middle, and end. We're in the middle now, and Fargate uses both regular EC2 instances and Firecracker in some cases.
If you use user namespaces and don't run as host root, they provide a clear security value (unless your alternative is that you use user namespaces in your program, at which point you are making your own container runtime). Docker's (and LXC's) default seccomp profile has blocked something like 95% of kernel 0days since they were added, for instance.
