On the way to safe containers
On the way to safe containers
Posted Sep 22, 2016 11:06 UTC (Thu) by spender (guest, #23067)Parent article: On the way to safe containers
I think when LXD was first announced two years ago, the bit in their advertisement (still present on http://www.ubuntu.com/cloud/lxd) that security folks were most interested in was this:
"We’re working with silicon companies to ensure hardware‐assisted security and isolation for these containers, just like virtual machines today."
"We’re working with silicon companies to ensure hardware‐assisted security and isolation for these containers, just like virtual machines today."
Based on this presentation though, it seems like there's nothing special here compared to other container solutions -- the kernel (and the security of user namespaces) is still the weakest link, LXD simply allows that same weakness to be spread out over multiple physical machines more easily. A safe container it is not.
-Brad