Richard W.M. Jones
rjones at redhat.com
Fri Sep 6 19:38:31 UTC 2013
On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote:
> No, it's less secure than kvm but it still provides better isolation
> than a mere chroot.
It doesn't matter if it's more secure than a chroot, because that's
not what we're talking about. This is about whether you want
random-person-off-the-internet to upload any software they like and
run it on your server, and you *do not* want to do that with either a
chroot or a Linux container [even if OpenShift got away with it].
> Secure containers as dwalsh described is a worthy improvement.
... SELinux labels will not make that situation any better, because an
exploit somewhere in the large kernel API bypasses SELinux.
Dan Walsh's two replies are much more nuanced than you understand.
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
More information about the devel