Is systemd within a Docker container still recommended?
Michael DePaulo
mikedep333 at gmail.com
Tue Mar 3 14:28:59 UTC 2015
On Mon, Mar 2, 2015 at 2:33 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>
> On 03/02/2015 10:03 AM, Mauricio Tavares wrote:
>> On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung at 0pointer.de> wrote:
>>> You'd have to get the kernel changed for that "information leak" to be
>>> fixed.
>>>
>>> That said, containers on Linux are not really about security, the
>>> whole thing has more holes than a swiss cheese. Maybe one day the
>>> security holes can be fixed, but as of now, it's simply not
>>> secure. And this "information leak" is certainly the least of your
>>> problems...
>>>
>> What would then be the recommended solution if containers are insecure?
> Well we are trying to fix this, but as Lennart says, there are many
> holes in the strategy at this
> point. I am working on a presentation that talks about different levels
> of security. As soon
> as you get to Virtualization you get less security.
>
> I would say running each service on an individual machine is the most
> secure. Running Each Service
> on a separate VM is the second most, especially if you are using
> SELInux/Svirt for separation of your VM's.
> Third level is running each Service in a different container, (Again you
> want SELinux for some separation).
> Fourth is each Service running on the host, (Wrapped with SELinux).
> Fifth setenforce 0.
Thanks, that is a very good explanation.
More information about the devel
mailing list