I’ve read that standard containers are optimized for developer productivity and not security, which makes sense.

But then what would be ideal to use for security? Suppose I want to isolate environments from each other for security purposes, to run questionable programs or reduce attack surface. What are some secure solutions?

Something without the performance hit of VMs

  • steph@lemmy.clueware.org
    link
    fedilink
    arrow-up
    2
    arrow-down
    1
    ·
    edit-2
    2 years ago

    All recent CPUs have native virtualization support, so there’s close to no performance hit on VMs.

    That being said, even a VM is subject to exploits and malicious code could break out of the VM down to its hypervisor.

    The only secure way of running suspicious programs starts with an air-gaped machine, a cheap hdd/ssd that will go straight under the hammer as soon as testing is complete. And I’d be wondering even after that if maybe the BIOS might have been compromised.

    On a lower level of paranoia and/or threat, a VM on an up-to-date hypervisor with a snapshot taken before doing anything questionable should be enough. You’d then only have to fear a zero day exploit of said hypervisor.

    • AggressivelyPassive@feddit.de
      link
      fedilink
      arrow-up
      3
      ·
      2 years ago

      Each VM needs a complete OS, though. Even at 100% efficiency, that’s still a whole kernel+userspace just idling around and a bunch of caches, loaded libraries, etc. Docker is much more efficient in that regard.

      • Saik0A
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 years ago

        And LXC even more efficient in that regard.

        Docker does load a bunch of stuff that most people don’t need for their project.

        I don’t know why LXC is always the red-headed stepchild. It works wonderfully.