> These containers are not as secure as full virtualization, Walsh said, but
> they are much easier to manage than handling the multiple full operating
> systems that virtualization requires. For many use cases, secure
> containers may be the right fit.
One small clarification here. Traditional usage of full virtualization implied full operating system installs in each guest. The libvirt-sandbox toolkit though actually has the ability to construct its sandboxes with a choice of either LXC or KVM without code changes on the application's part. When asked to construct a sandbox with KVM, it'll build a mini initrd which uses the virtio-9p filesystem module to expose the host root filesystem readonly inside KVM, and then setup custom writable areas for places like /var/, /tmp, etc in the same way it does for LXC. So, if desired, you can get the extra security benefit of full virtualization, albeit at the cost of greater resource utilization due to running multiple kernels.