1 |
On Thu, 16 Jun 2016 22:35:24 -0400 waltdnes@××××××××.org wrote: |
2 |
> On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote |
3 |
> > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
4 |
> > > |
5 |
> > > I don't see the part where all these latest fancy container thingymagicies |
6 |
> > > are not really just "embed everything in everything" |
7 |
> > > |
8 |
> > > We've known for years the dangers of embedding stuff in packages (it hardly |
9 |
> > > ever gets updated properly) |
10 |
> > > |
11 |
> > |
12 |
> > Well, that strikes me as being true of these self-contained packages, |
13 |
> > but it isn't necessarily true of containers in general. |
14 |
> > |
15 |
> > I run most of my services in containers, and they're just Gentoo |
16 |
> > installations with a really small world file. Things are just as |
17 |
> > up-to-date as they would be if I ran it all in a single host. |
18 |
> > |
19 |
> > Now, if you're the sort of person who just grabs some random docker |
20 |
> > image from who knows where, then sure you're getting a big bundle of |
21 |
> > stuff that may or may not be maintained for security. This is no |
22 |
> > different. |
23 |
> |
24 |
> I don't follow this stuff, so this may be a stupid question... how |
25 |
> does a "container" or "docker" differ from a chroot or a QEMU VM with a |
26 |
> minimal set of applications? |
27 |
|
28 |
There is one common misconception, that chroot is security measure. |
29 |
This is wrong! Chroot is not a security function at all. It is |
30 |
extremely easy to exit chroot [1] if you have root access inside |
31 |
chroot (AFAIK with PAX/GRSecurity it is possible to deny this, but |
32 |
this is another story.) So if you are using chroot for security, |
33 |
forget about security, you have no security at all. This syscall was |
34 |
designed for another needs. |
35 |
Tl;dr; Inside chroot do as a root: |
36 |
mkdir foo; chroot foo; cd .. |
37 |
|
38 |
QEMU VM (as well as other VM) can provide you some degree of |
39 |
security at the cost of performance and system resources. Inside VM |
40 |
you have independent (fully or paravirtualized) kernel and |
41 |
environment. But it is still possible to exit it using hypervisor |
42 |
bugs or hardware-based attacks like L3 cache attack[2]. Yes, if one |
43 |
have modern Intel or AMD CPU with SSE2 and L3 cache enabled, forget |
44 |
about tight security too. |
45 |
|
46 |
Due to reasons above I prefer container solutions like LXC over VM |
47 |
for security: they give approximately the same level of protection |
48 |
as VM, but resources cost is much lower. Of course it is still |
49 |
possible to break any container through L3 cache or some kernel |
50 |
bugs, so for really tight security independent hardware and OS must |
51 |
be used. |
52 |
|
53 |
[1] https://lwn.net/Articles/252794/ |
54 |
[2] https://www.usenix.org/node/184416 |
55 |
|
56 |
Best regards, |
57 |
Andrew Savchenko |