Making containers safer [LWN.net]

Making containers safer

Posted Aug 22, 2019 12:44 UTC (Thu) by walters (subscriber, #7396)
In reply to: Making containers safer by cyphar
Parent article: Making containers safer

Let me rephrase the original point I was trying to make:

The LXD team's push for user namespaces is great, and worth a lot of credit. The article's authors (and you) are right to highlight the risks of running without user namespaces.

The way I think about security is: I often use the term "secure" when talking about code to mean "we believe we can ship fixes for the security issues that arise using this", and I think that's true of "uid 0 containers". You're right there have been numerous CVEs, and there are required band-aids like seccomp for open_by_handle_at() - but this all got fixed.

So again, I think calling them "privileged containers" is taking things a step too far.

to post comments

Making containers safer

Posted Aug 22, 2019 12:55 UTC (Thu) by walters (subscriber, #7396) [Link]

Speaking of credit, from the article:

> Sadly, he said, the vast majority of containers that are run today are privileged containers. That includes most Docker containers and most of the containers that are run with Kubernetes.

I also think OpenShift deserves a lot of credit for coming out of the box from the very first 3.0 (Kubernetes-based) release in 2015 with the `MustRunAsRange` security policy - i.e. the pods aren't running as uid 0. This actually causes still to this day a lot of incompatibility with apps that run on "stock Kubernetes".

At the time, user namespaces were a lot more immature, so I think it was the right call.

(To be clear, I work on OpenShift now, but I didn't have anything to do with implementing that feature)