| ▲ | wahern 2 days ago | |
> Why would long lived VMs be better if they're also using old versions of software? It's more difficult to break out of a VM and take over the host, unless a container has a very strict seccomp policy that limits the exposed kernel surface area. The Linux kernel's high rate of feature churn has resulted in an endless parade of root exploits. Locking down a container takes effort as you risk breaking the application by removing access to fancy kernel features du jour. VMs have bugs, too, but it's a better situation, especially if the interface between guest and host is limited to a few virtio drivers. Firecracker, for example, takes this minimalist approach; relative to containers it's more of a "secure by default" situation as far as host protection goes, and unless the guest environment requires direct access to peripheral hardware, everything will still work as intended. | ||
| ▲ | throwaway290 2 days ago | parent | next [-] | |
So anyone using Docker on mac or windows is safe from this scary stuff because they run all containers in a vm? Cool! | ||
| ▲ | colejohnson66 2 days ago | parent | prev [-] | |
So the problem is Linux, not Docker, then. | ||