Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

Posted Aug 29, 2014 11:13 UTC (Fri) by azilian (guest, #47340)
Parent article: Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

We are already providing Linux container hosting at http://www.getclouder.com
And I have to point that Docker is not the only container technology! LXC is out there, and is doing awesome job at providing you with full OS containers.

As far as security, if you configure your containers properly and give them their own physical storage, most of the security concerns disappear.

I'm not saying that containers are completely secure, but I'm trying to point out, that they are reasonably secure if they are reasonably setup.

Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

Posted Aug 29, 2014 11:31 UTC (Fri) by dag- (guest, #30207) [Link]

The security benefits are a result of the decreasing number of attack vectors. However those "hyper containers" now have the (questionable) security benefit that they are not standardized.

But as soon as there is uptake on the idea, things will get standardized, and that opens the door to abusing standardized APIs or standardized setups. And if the storage layer is replaced with cloud storage APIs, you have to include the attack vectors against the cloud storage as well.

Things do not become necessarily less complex, but it might help to reduce the number of (currently used) attack vectors.

Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

Posted Aug 29, 2014 13:15 UTC (Fri) by ewan (guest, #5533) [Link]

"reasonably secure if they are reasonably setup"

And full virt VMs are reasonably fast if they are reasonably set up.

This is probably one of those things not worth having a war over - some times containers will be better, some times VMs will be better, but most times either one will do just fine, and pretty much interchangeably.

Containers vs Hypervisors: The Battle Has Just Begun (Linux.com)

Posted Sep 2, 2014 2:22 UTC (Tue) by raven667 (subscriber, #5198) [Link]

> As far as security, if you configure your containers properly and give them their own physical storage, most of the security concerns disappear.

I don't think that is true at all, what I've heard from the security people and the container people is that containers are not useful for hostile multi-tenant environments, in the way that full VMs are useful. There are too many design holes which need to be plugged with SELinux or seccomp_bpf or whatever, the kernel attack surface is large and there are _always_ 0days floating around which break the kernel, especially when you support fully-featured guest images. Of course this doesn't mean that hosting services aren't being offered, but what you believe is "reasonably secure" may differ from others.