| 1 |
On Fri, Jun 17, 2016 at 3:16 AM, Andrew Savchenko <bircoph@g.o> wrote: |
| 2 |
> On Thu, 16 Jun 2016 22:35:24 -0400 waltdnes@××××××××.org wrote: |
| 3 |
>> I don't follow this stuff, so this may be a stupid question... how |
| 4 |
>> does a "container" or "docker" differ from a chroot or a QEMU VM with a |
| 5 |
>> minimal set of applications? |
| 6 |
> |
| 7 |
> Due to reasons above I prefer container solutions like LXC over VM |
| 8 |
> for security: they give approximately the same level of protection |
| 9 |
> as VM, but resources cost is much lower. Of course it is still |
| 10 |
> possible to break any container through L3 cache or some kernel |
| 11 |
> bugs, so for really tight security independent hardware and OS must |
| 12 |
> be used. |
| 13 |
|
| 14 |
Containers on Linux aren't nearly as secure as a VM right now. |
| 15 |
Certainly the intent is for them to get there, and if you find a way |
| 16 |
to break out of a container the kernel team would certainly accept it |
| 17 |
as a bug and fix it. However, I don't think most of the big names in |
| 18 |
linux would rate it on the same level as a VM. As you've pointed out, |
| 19 |
VMs aren't perfect, though I'm not aware of any way to actually defeat |
| 20 |
any of the popular ones (and if there were, they'd almost certainly |
| 21 |
patch it). I'll certainly acknowledge that there is a larger attack |
| 22 |
surface than separate hosts (and it isn't like those are invulnerable |
| 23 |
either - who knows what bug exists in an ethernet card somewhere). |
| 24 |
|
| 25 |
Containers are a lot more secure than chroots though. Non-root in a |
| 26 |
container is generally considered to be fairly secure - it is an |
| 27 |
additional layer on top of normal user privilege isolation. |
| 28 |
Containers are generally a lot more convenient than chroots as well, |
| 29 |
simply because there are fewer compatibility issues and constraints |
| 30 |
inside. If you want to run sysvinit/openrc or systemd inside your |
| 31 |
container you can, and that isn't really possible inside a chroot. Of |
| 32 |
course, you don't have to, but at least you have the option. |
| 33 |
|
| 34 |
The biggest selling point for a container is the resource |
| 35 |
requirements. The overhead to run a container with systemd inside is |
| 36 |
only a few MB. If you're running a container without a service |
| 37 |
manager the overhead is even less. You could never run a VM with only |
| 38 |
a few MB of RAM. The main constraint on RAM use for a container is |
| 39 |
the fact that you're not sharing libraries with the host. Otherwise |
| 40 |
they're just processes with different namespace values in the kernel |
| 41 |
(EVERY process runs in a set of namespaces, even if you're not using |
| 42 |
containers - by default they just all have the same set of values). |
| 43 |
Any solution that bundles the libraries with the package is going to |
| 44 |
use a similar amount of RAM. Also, launching a process in a new |
| 45 |
namespace takes the same amount of time as launching a process in the |
| 46 |
same namespace, minus the trivial time required to page in libraries |
| 47 |
and such. A VM takes seconds to boot, vs the milliseconds for a |
| 48 |
container. In terms of overhead containers and chroots are almost |
| 49 |
identical. |
| 50 |
|
| 51 |
The biggest selling point for not just running everything on the host |
| 52 |
is isolation. I have a container that just runs mariadb. When I do |
| 53 |
an emerge -u world it is like updating any other Gentoo host, but when |
| 54 |
I'm done I fire off a bunch of tests to make sure mariadb is working, |
| 55 |
and if it works I know I'm done. When I was running everything on a |
| 56 |
single host I'd inevitably do an emerge -u world and occasionally have |
| 57 |
something random break. Short of testing everything every time I do |
| 58 |
an update it is hard to avoid that sort of thing. Of course, I end up |
| 59 |
having to run a lot more updates, but I don't have to do them all at |
| 60 |
once and I can update the container for each service on an appropriate |
| 61 |
schedule. |
| 62 |
|
| 63 |
-- |
| 64 |
Rich |
Archives