A system for managing Containers, including a hardware node running an OS; a multi-tenant application on the node; and a plurality of Containers under the OS. A process of the multi-tenant application uses only one Container at a time. Remaining Containers available to the process are taskless Containers. An arbiter controls permissions for the process to switch from one Container to another Container. The arbiter defines trusted and untrusted execution contexts. Code of the process executing in the untrusted context is not permitted to switch Containers, and the code of the process executing in the trusted context is permitted to switch Containers. The arbiter detects attempts to switch Containers, and prevents them when executing untrusted code. Upon a request to the multi-tenant application, the arbiter switches the process that will process the user request to one of the taskless Containers and executes the request in the untrusted context.