| ▲ | dwroberts 3 hours ago | |||||||
I see the ‘not a security boundary’ thing repeated constantly, and while it makes sense (eg. they’re sharing the underlying kernel or at least some access to it) if you think about it a little more, VMs are not magically different: they are better isolated, but VMs on the same host still share the host in common. A CVE next week that allows corruption of host state that affects eg every VM under a particular hypervisor will be no less damaging than this CVE is to containers | ||||||||
| ▲ | necovek 2 hours ago | parent [-] | |||||||
You are obviously right that these are similar in principle: VM isolation exploit would lead to the same exposure like container-related isolation exploits. VMs are considered vastly better because the surface area where exploits can happen is smaller and/or better isolated within the kernel. If you are arguing the latter is not true — and we are all collectively hand-waving away big chunk of the surface area so that may be the case — it would help to be explicit in why you believe an exploit in that area is similarly likely? | ||||||||
| ||||||||