undefined | Better HN

0 pointsDannoHung12y ago0 comments

Docker combines LXC along with a few other isolation and security technologies. What the Docker maintainers are also doing is setting up a system for distributing LXC based images. Beyond this, since Docker works with these union file systems, it also lets you build on top of other images.

Eventually, there may be some way to merge images together, though I imagine that will always be a little harry compared to a simple stack up.

Documentation is more than a little sparse right now, unfortunately. It took me a few days to figure out how all the pieces work together.

0 comments

eldondev12y ago

Can you be specific about the other security methodologies docker rolls in? Everywhere I read, people say "LXC != VM-level security," specifically, I hear that root on the container means root on the host. These suse guys at least say "If you want to be secure, kvm is still your answer." : http://unixcal.com/s/a4mn . Thoughts?

jpetazzo12y ago

Root on the container doesn't mean root on the host. Machine-level virtualization has received more scrutiny than LXC, so as of today, many people consider traditional VMs to be more secure. But KVM or Xen are not intrinsically more secure than LXC or OpenVZ. They all have their histories of exploits and privilege escalations.

One key thing is, that it makes sense to run containers without root privileges (greatly improving security), while it is much harder to realistically run a VM without root processes. As a result, it could be said that containers are much safer, because before even thinking about breaking out of the container, you have to work on a root exploit - on a system which, by essence, only runs the processes that you really need, and has a much smaller attack surface.

We're working on a more elaborated answer, to be included within Docker docs!

j / k navigate · click thread line to collapse