Going to toot my own horn here but if you're looking for something like a container with a security focus that is precisely what https://nanos.org was built for. No users, no login/ssh, no ability to run other programs other than the one that is already running. It kills off entire CWE's such as CWE-77/CWE-78 and neutralizes a large amount of nasty payloads forcing attackers to put in the work. It has all the same security features you'll find in linux (aslr, stack exec off, rodata no exec, etc.) but more.
A go unikernel deployed in this manner might have 5 files on the fs so you don't have a half-dozen interpreters or live off the land binary type stuff. Beware though that not all unikernels are built the same way and don't share the same security profiles as nanos.
At the end of the day though if security is a driving force containers are simply not built for that. Just the other day CVE-2024-45310 landed and a few weeks ago we had CVE-2024-42472 in flatpak (a continuation of the bubblewrap stuff).
People are probably going to jump in here and mention gvisor and firecracker. Note that firecracker is really a machine monitor replacement and most payloads are still running a linux guest (although nanos can work here). Gvisor does deal with the security issue well enough but at the cost of performance if you don't have access to hw virtualization.
Going to toot my own horn here but if you're looking for something like a container with a security focus that is precisely what https://nanos.org was built for. No users, no login/ssh, no ability to run other programs other than the one that is already running. It kills off entire CWE's such as CWE-77/CWE-78 and neutralizes a large amount of nasty payloads forcing attackers to put in the work. It has all the same security features you'll find in linux (aslr, stack exec off, rodata no exec, etc.) but more.
A go unikernel deployed in this manner might have 5 files on the fs so you don't have a half-dozen interpreters or live off the land binary type stuff. Beware though that not all unikernels are built the same way and don't share the same security profiles as nanos.
At the end of the day though if security is a driving force containers are simply not built for that. Just the other day CVE-2024-45310 landed and a few weeks ago we had CVE-2024-42472 in flatpak (a continuation of the bubblewrap stuff).
People are probably going to jump in here and mention gvisor and firecracker. Note that firecracker is really a machine monitor replacement and most payloads are still running a linux guest (although nanos can work here). Gvisor does deal with the security issue well enough but at the cost of performance if you don't have access to hw virtualization.