undefined | Better HN

0 pointsHavoc3y ago0 comments

>If containerization is not security

Call it less secure than VMs if you prefer that wording.

>not running as root should be an absolutely critical first step for managing risk.

Kinda depends on what angle you come at it from risk management. You could take something less secure (containers) and try to tweak it to meet whatever level of residual risk you deem acceptable. Or you could just jump straight to VM and benefit from the inherent higher level of separation.

The fact that all the big players with their clever engineers have specifically opted for VM tech (e.g. AWS creating firecracker for lambda) tells me the later is probably the way to go.

That said I mostly do stick to containers when in a trusted environment.

0 comments

krageon3y ago

The "if" was not meant to indicate I doubted you. I agree. It was to indicate a prior in the sense of "if this is true, this other thing should also be true).

VMs are also not a foolproof solution to operational security. It depends entirely on your risk appetite. If you're going to run containers, you should run them with as little permissions as you can. Hence, rootless.

j / k navigate · click thread line to collapse