There's a couple of different aspect to your question and different options for each. Using standard Docker tech, a container is just a process running on the host, with Linux features applied to restrict what it can do.
- Filesystem Access - By default, a Docker container has no access to any filesystem outside of the container. You can mount folders inside the container (with the
-v
switch) but that's optional. The container filesystem is on the host though, so it always needs some level of accesss.
- Network Access - If you want a container not to access the network at all, just use
--net=none
this will mean it has no network interface apart from lo
for loopback traffic within the container.
There are some risks here. If a container is malicious and there is a vulnerability in the Linux kernel running on the host, the contained process might be able to break out to the underlying host (like any other software there is always the possibility of vulnerabilities).
If you want to run things like containers, with a smaller attack surface than the Linux kernel, there are a couple of options :-
- gVisor - This is a container sandbox developed by Google. They use it for some of their own Container as a Service options. It's designed to isolate containers from the underlying host
- firecracker - Firecracker from AWS essentially puts each container inside it's own virtual machine, making it less likely for a contained process to be able to affect the underlying host.