Adam
Hi Adam,
After doing some more research, I've confirmed that when I ssh into a website, I can see that I am inside a container due to the overlaying file system. When inspecting the docker OLS container, I found that each site has different mounts as overlays.
It appears that all sites run in a single docker container, utilizing different mount points (volumes/binds), virtual hosts, and different user/permissions.
However, I have concerns about whether this setup is safe enough. While I can confirm that I don't see other sites when ssh'd into a website, I worry that this arrangement exposes us to potential resource contention, file system access, shared process space, network access, and could lead to other problems in the future.
In my opinion, true isolation is best achieved by running each website in its own container. This way, each website operates in its own process space, preventing interference from other sites. Separate containers can also have isolated network configurations, and resources such as CPU and memory, can be allocated and limited per container. Furthermore, any security breach in one container would not impact the others.
Currently, the perceived isolation seems to come from not being able to see other websites' files, which is most likely due to proper directory permissions and structure.
