Can one user's container access another's data?
No. Each container runs on bridge networking with no inter-container communication. Containers have separate EFS mount points and separate encrypted credentials in DynamoDB.
Glossary
What is Container Isolation?
Container isolation means each user gets their own runtime environment with separate networking, file storage, and credentials, even when sharing the same physical host.
How container isolation works
In a multi-tenant platform, multiple users share the same physical servers. Container isolation ensures each user's workload runs in its own process space with its own filesystem, network stack, and resource limits.
HiClaw runs each OpenClaw deployment as a separate ECS task on EC2 instances. Containers use bridge networking with no exposed ports. Traefik routes traffic by subdomain, and forward-auth ensures only the owner can access their instance.
Isolation boundaries in HiClaw
- Separate ECS tasks with independent process namespaces
- Bridge networking with no inter-container communication
- Per-user EFS mount points for workspace persistence
- Separate KMS-encrypted credentials in DynamoDB per deployment
- Per-deployment gateway token auth enforced by OpenClaw
Frequently asked questions
What happens if a container crashes?
ECS automatically restarts the failed container. Other users' containers on the same host are unaffected because they run as independent tasks.
How does HiClaw pack containers onto hosts?
ECS places tasks across an auto-scaling group of EC2 instances. A consolidator Lambda periodically bin-packs tasks onto fewer nodes during low usage to reduce costs.