Is systemd within a Docker container still recommended?

Michael DePaulo mikedep333 at
Tue Mar 3 14:28:59 UTC 2015

On Mon, Mar 2, 2015 at 2:33 PM, Daniel J Walsh <dwalsh at> wrote:
> On 03/02/2015 10:03 AM, Mauricio Tavares wrote:
>> On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung at> wrote:
>>> You'd have to get the kernel changed for that "information leak" to be
>>> fixed.
>>> That said, containers on Linux are not really about security, the
>>> whole thing has more holes than a swiss cheese. Maybe one day the
>>> security holes can be fixed, but as of now, it's simply not
>>> secure. And this "information leak" is certainly the least of your
>>> problems...
>>       What would then be the recommended solution if containers are insecure?
> Well we are trying to fix this, but as Lennart says, there are many
> holes in the strategy at this
> point.  I am working on a presentation that talks about different levels
> of security.  As soon
> as you get to Virtualization you get less security.
> I would say running each service on an individual machine is the most
> secure.  Running Each Service
> on a separate VM is the second most, especially if you are using
> SELInux/Svirt for separation of your VM's.
> Third level is running each Service in a different container, (Again you
> want SELinux for some separation).
> Fourth is each Service running on the host, (Wrapped with SELinux).
> Fifth setenforce 0.

Thanks, that is a very good explanation.

More information about the devel mailing list