| 1 |
On Thu, 16 Jun 2016 22:35:24 -0400 waltdnes@××××××××.org wrote: |
| 2 |
> On Thu, Jun 16, 2016 at 04:33:12PM -0400, Rich Freeman wrote |
| 3 |
> > On Thu, Jun 16, 2016 at 4:11 PM, Alan McKinnon <alan.mckinnon@×××××.com> wrote: |
| 4 |
> > > |
| 5 |
> > > I don't see the part where all these latest fancy container thingymagicies |
| 6 |
> > > are not really just "embed everything in everything" |
| 7 |
> > > |
| 8 |
> > > We've known for years the dangers of embedding stuff in packages (it hardly |
| 9 |
> > > ever gets updated properly) |
| 10 |
> > > |
| 11 |
> > |
| 12 |
> > Well, that strikes me as being true of these self-contained packages, |
| 13 |
> > but it isn't necessarily true of containers in general. |
| 14 |
> > |
| 15 |
> > I run most of my services in containers, and they're just Gentoo |
| 16 |
> > installations with a really small world file. Things are just as |
| 17 |
> > up-to-date as they would be if I ran it all in a single host. |
| 18 |
> > |
| 19 |
> > Now, if you're the sort of person who just grabs some random docker |
| 20 |
> > image from who knows where, then sure you're getting a big bundle of |
| 21 |
> > stuff that may or may not be maintained for security. This is no |
| 22 |
> > different. |
| 23 |
> |
| 24 |
> I don't follow this stuff, so this may be a stupid question... how |
| 25 |
> does a "container" or "docker" differ from a chroot or a QEMU VM with a |
| 26 |
> minimal set of applications? |
| 27 |
|
| 28 |
There is one common misconception, that chroot is security measure. |
| 29 |
This is wrong! Chroot is not a security function at all. It is |
| 30 |
extremely easy to exit chroot [1] if you have root access inside |
| 31 |
chroot (AFAIK with PAX/GRSecurity it is possible to deny this, but |
| 32 |
this is another story.) So if you are using chroot for security, |
| 33 |
forget about security, you have no security at all. This syscall was |
| 34 |
designed for another needs. |
| 35 |
Tl;dr; Inside chroot do as a root: |
| 36 |
mkdir foo; chroot foo; cd .. |
| 37 |
|
| 38 |
QEMU VM (as well as other VM) can provide you some degree of |
| 39 |
security at the cost of performance and system resources. Inside VM |
| 40 |
you have independent (fully or paravirtualized) kernel and |
| 41 |
environment. But it is still possible to exit it using hypervisor |
| 42 |
bugs or hardware-based attacks like L3 cache attack[2]. Yes, if one |
| 43 |
have modern Intel or AMD CPU with SSE2 and L3 cache enabled, forget |
| 44 |
about tight security too. |
| 45 |
|
| 46 |
Due to reasons above I prefer container solutions like LXC over VM |
| 47 |
for security: they give approximately the same level of protection |
| 48 |
as VM, but resources cost is much lower. Of course it is still |
| 49 |
possible to break any container through L3 cache or some kernel |
| 50 |
bugs, so for really tight security independent hardware and OS must |
| 51 |
be used. |
| 52 |
|
| 53 |
[1] https://lwn.net/Articles/252794/ |
| 54 |
[2] https://www.usenix.org/node/184416 |
| 55 |
|
| 56 |
Best regards, |
| 57 |
Andrew Savchenko |
Archives