How does the security of systems containers like LXC compare to that of a VM? I’m assuming a VM would be more secure, but is the cost worth the performance hit?
Thanks to both of you for covering virtualization and containers. Could you please explain what is meant by not runing a container as root. I understand it in the context of running a nodejs or python app, but what does that mean for containers such as ngnix or mongodb. dB
nginx for example only needs root to expose ports 80 and 443. It's a Linux limitation, you can only expose ports highter than or equal to 1024 with a non-root user. There's a non-root nginx container out there which exposes ports 8080 and 8443 instead I believe. The reason for not using root at all is that there is still the possibility of privilege escalation. A docker container for example is running basically as an application on your host kernel. So, when it's executed as root and the container user is also root, and there's a security vulnerability in the container runtime engine, that could be exploited and a malicious container could gain root access to your host via kernel syscalls etc.
Thank you for the information - the idrac container is something i use regularly after hearing about it on this show. Does someone perhaps have any suggestion to access old java apps via browser ? I have a chiller system in the DC and the old java is a pain.
I'm confused about the difference between snaps and docker. Both are containers, both are immutable, but there are differences. One of the mentioned differences is that you can have more docker instances, but I can start more Firefox snap windows too. But it looks that Firefox is one process with 2 threads sharing one virtual address space, while maybe docker uses two seperate processes each with its own virtual address space. Like Mark Shutteworth explained Snap; Docker and LXC present different "illusions of the kernel" to their containers with respect to e.g cores; disks and network. Interesting would be to understand those "different illusions". My best guess is: - LXC supports virtual cores and communication between processes through messages or shared memory; It is like a VM borrowing the Host OS. - Docker is for system programs and application programs. It can run more instances/processes of the same Docker container and each container has its own IP address. Communication must go through the IP address. A problem seems to be, which IP address belongs to which instance. Another issue is related to GUI applications. - Snaps are intended for applications and GUI apps too, but they seem to be one instance/process only. Even starting a 2nd firefox through the CLI does not create an additional process, but it results in warning messages and in additional threads for a new window and its content. That behavior however is more or less the same for Firefox deb packages, so maybe that behavior is e.g. specific for Firefox
Microsoft makes Windows containers, by the way. They're just very late to the party. I have not used them, but they seem similar in concept to LXC containers.
Hi, great show. but you forgot about "Podman" a very reliable and more secure alternative to Docker.
Docker is actually very secure, as long as you keep the daemon updated.
Jay, the DomiStyle/docker-idrac6 container is what I use with older iDRACs
And for IPMIs which require Java this seems to work solarkennedy/ipmi-kvm-docker
What about using base images from DockerHUB to build manually?
How does the security of systems containers like LXC compare to that of a VM? I’m assuming a VM would be more secure, but is the cost worth the performance hit?
LXC still shares the kernel so the risk is greater.
Thanks to both of you for covering virtualization and containers. Could you please explain what is meant by not runing a container as root. I understand it in the context of running a nodejs or python app, but what does that mean for containers such as ngnix or mongodb.
dB
nginx for example only needs root to expose ports 80 and 443. It's a Linux limitation, you can only expose ports highter than or equal to 1024 with a non-root user. There's a non-root nginx container out there which exposes ports 8080 and 8443 instead I believe. The reason for not using root at all is that there is still the possibility of privilege escalation. A docker container for example is running basically as an application on your host kernel. So, when it's executed as root and the container user is also root, and there's a security vulnerability in the container runtime engine, that could be exploited and a malicious container could gain root access to your host via kernel syscalls etc.
Prescient discussion about supply chain vulnerabilities here
Thank you for the information - the idrac container is something i use regularly after hearing about it on this show. Does someone perhaps have any suggestion to access old java apps via browser ? I have a chiller system in the DC and the old java is a pain.
I'm confused about the difference between snaps and docker. Both are containers, both are immutable, but there are differences. One of the mentioned differences is that you can have more docker instances, but I can start more Firefox snap windows too. But it looks that Firefox is one process with 2 threads sharing one virtual address space, while maybe docker uses two seperate processes each with its own virtual address space. Like Mark Shutteworth explained Snap; Docker and LXC present different "illusions of the kernel" to their containers with respect to e.g cores; disks and network.
Interesting would be to understand those "different illusions". My best guess is:
- LXC supports virtual cores and communication between processes through messages or shared memory; It is like a VM borrowing the Host OS.
- Docker is for system programs and application programs. It can run more instances/processes of the same Docker container and each container has its own IP address. Communication must go through the IP address. A problem seems to be, which IP address belongs to which instance. Another issue is related to GUI applications.
- Snaps are intended for applications and GUI apps too, but they seem to be one instance/process only. Even starting a 2nd firefox through the CLI does not create an additional process, but it results in warning messages and in additional threads for a new window and its content. That behavior however is more or less the same for Firefox deb packages, so maybe that behavior is e.g. specific for Firefox
😯 a container to run java for my ASRock Rack mobo with it's ASpeed IPMI!? Need!!!
Microsoft makes Windows containers, by the way. They're just very late to the party. I have not used them, but they seem similar in concept to LXC containers.
they had Windows containers back in 2018, but it was very crappy to work with them lol
You can containerize Windows, but you can only do it on Windows. Even k8s has official Windows support. But that doesn't mean we should use it lol