| ▲ | socalgal2 5 days ago |
| that's a really good point .. but, I think 99% of docker users believe it is a a sandbox and treat it as such. |
|
| ▲ | freedomben 5 days ago | parent | next [-] |
| And not without cause. We've been pitching docker as a security improvement for well over a decade now. And it is a security improvement, just not as much as many evangelists implied. |
| |
| ▲ | fragmede 5 days ago | parent [-] | | Must depend on who you've been talking to. Docker's not been pitched for security in the circles I run in, ever. |
|
|
| ▲ | TacticalCoder 5 days ago | parent | prev | next [-] |
| Not 99%. Many people run an hypervisor and then a VM just for Docker. Attacker now needs a Docker exploit and then a VM exploit before getting to the hypervisor (and, no, pwning the VM ain't the same as pwning the hypervisor). |
| |
| ▲ | windexh8er 4 days ago | parent | next [-] | | Agreed - this is actually pretty common in the Proxmox realm of hosters. I segment container nodes using LXC, and in some specific cases I'll use a VM. Not only does it allow me to partition the host for workloads but I also get security boundaries as well. While it may be a slight performance hit the segmentation also makes more logical sense in the way I view the workloads. Finally, it's trivial to template and script, so it's very low maintenance and allows for me to kill an LXC and just reprovision it if I need to make any significant changes. And I never need to migrate any data in this model (or very rarely). | |
| ▲ | briHass 4 days ago | parent | prev [-] | | 'Double-bagging it' was what we called it in my day. |
|
|
| ▲ | dist-epoch 5 days ago | parent | prev [-] |
| it is a sandbox against unintentional attacks and mistakes (sudo rm -rf /) but will not stop serious malware |
