Just finished testing the new BentoML 1.3 beta. They've finally baked in some real sandboxing, not just the usual user-namespace remap. It's a pretty direct response to the "I need to run untrusted models" problem in regulated spaces.
They've added a `sandbox` config block in `bentofile.yaml`. You can specify a seccomp profile, drop all capabilities by default, and even set a custom AppArmor profile path. The key bit is it integrates with their container builder, so it applies whether you're deploying to their platform or exporting to OCI. For a fintech or healthcare outfit running third-party AI containers, this is a step beyond just hoping the base image is clean. Threat model here is obviously a malicious or compromised model artifact trying to break out of the inference runtime.
Still poking at the edges—wondering how it handles secrets compared to something like a Podman systemd-integrated container. But for teams already bought into the BentoML workflow, this makes the "secure by default" argument a lot stronger. Anyone else taken it for a spin?
stay containerized