Security
Security is a first-class product feature in Hostrig — not an optional appendix. Priority order: security → easy install → decent performance.
What Hostrig hardens
Section titled “What Hostrig hardens”| Layer | Behavior |
|---|---|
| User apps | Run under gVisor (runsc) by default |
| Data services | Dedicated Postgres/Redis containers stay on ordinary runc |
| Platform glue | MinIO, Caddy, BuildKit, platform Redis (BullMQ) on runc |
| Builds | Railpack / BuildKit / docker build use runc (not gVisor) |
| HostConfig | CapDrop ALL, no-new-privileges, readonly rootfs (+ /tmp tmpfs), memory/CPU limits |
| Docker socket | Available to the control plane only — never mounted into user apps |
| Secrets | Project credentials encrypted at rest (AES-GCM) |
Why gVisor
Section titled “Why gVisor”User app images and source are not fully trusted. gVisor provides a userspace syscall sandbox so a compromised app is harder to turn into host root. This is the v1 default — not microVMs (Kata/Firecracker), which are out of scope.
Operator checklist
Section titled “Operator checklist”- Install Docker Engine and gVisor (
runsc) — see Prerequisites - Prefer
userns-remap: defaulton the Docker daemon - Keep
DEPLOW_APP_RUNTIME=runsc(default) andDEPLOW_APP_RUNTIME_REQUIRED=truein production - Set strong
BETTER_AUTH_SECRET/DEPLOW_SECRETS_KEY - Do not expose
docker.sockto untrusted processes
Escape hatch
Section titled “Escape hatch”If an image cannot run under gVisor, set DEPLOW_APP_RUNTIME=runc temporarily. This logs a warning and weakens isolation — fix the image or opt out per environment; do not treat runc as the marketed default.
What we do not claim
Section titled “What we do not claim”- Multi-tenant hostile SaaS isolation on a shared public cloud
- Formal certification or microVM-level guarantees
- Sandboxing of Postgres/Redis/MinIO under gVisor
Contributor-facing detail lives in the repository: docs/security.md and docs/secure-runtime.md.