Docker + heavily restricted user + firewalls.. seems to get you much of the way there. I am aware that some work was done back in the pre-Docker day with Ruby's online sandbox to neuter Ruby's ability to make certain syscalls, but I imagine Docker, eBPF, or even using WebAssembly makes it a lot easier now.
Docker + heavily restricted user + firewalls.. seems to get you much of the way there. I am aware that some work was done back in the pre-Docker day with Ruby's online sandbox to neuter Ruby's ability to make certain syscalls, but I imagine Docker, eBPF, or even using WebAssembly makes it a lot easier now.