The document describes two kinds of isolation models.
- Tasks running on a dedicated EC2 instance.
- Tasks running in firecracker micro-vm, using a shared EC2 instance.
However it doesn’t seem to clarify when a given task would be ran on a dedicated instance, or on a shared instance using firecracker.
The other things I don’t really understand about fargate, is the rationale around limiting container privileges and capabilities, they allow it on vanilla ECS.
From their description, tasks never share the same OS/kernel, so getting root shouldn’t mean compromise of other customers tasks.
- Tasks running on a dedicated EC2 instance.
- Tasks running in firecracker micro-vm, using a shared EC2 instance.
However it doesn’t seem to clarify when a given task would be ran on a dedicated instance, or on a shared instance using firecracker.
The other things I don’t really understand about fargate, is the rationale around limiting container privileges and capabilities, they allow it on vanilla ECS.
From their description, tasks never share the same OS/kernel, so getting root shouldn’t mean compromise of other customers tasks.