1 |
On Fri, Jun 17, 2016 at 3:16 AM, Andrew Savchenko <bircoph@g.o> wrote: |
2 |
> On Thu, 16 Jun 2016 22:35:24 -0400 waltdnes@××××××××.org wrote: |
3 |
>> I don't follow this stuff, so this may be a stupid question... how |
4 |
>> does a "container" or "docker" differ from a chroot or a QEMU VM with a |
5 |
>> minimal set of applications? |
6 |
> |
7 |
> Due to reasons above I prefer container solutions like LXC over VM |
8 |
> for security: they give approximately the same level of protection |
9 |
> as VM, but resources cost is much lower. Of course it is still |
10 |
> possible to break any container through L3 cache or some kernel |
11 |
> bugs, so for really tight security independent hardware and OS must |
12 |
> be used. |
13 |
|
14 |
Containers on Linux aren't nearly as secure as a VM right now. |
15 |
Certainly the intent is for them to get there, and if you find a way |
16 |
to break out of a container the kernel team would certainly accept it |
17 |
as a bug and fix it. However, I don't think most of the big names in |
18 |
linux would rate it on the same level as a VM. As you've pointed out, |
19 |
VMs aren't perfect, though I'm not aware of any way to actually defeat |
20 |
any of the popular ones (and if there were, they'd almost certainly |
21 |
patch it). I'll certainly acknowledge that there is a larger attack |
22 |
surface than separate hosts (and it isn't like those are invulnerable |
23 |
either - who knows what bug exists in an ethernet card somewhere). |
24 |
|
25 |
Containers are a lot more secure than chroots though. Non-root in a |
26 |
container is generally considered to be fairly secure - it is an |
27 |
additional layer on top of normal user privilege isolation. |
28 |
Containers are generally a lot more convenient than chroots as well, |
29 |
simply because there are fewer compatibility issues and constraints |
30 |
inside. If you want to run sysvinit/openrc or systemd inside your |
31 |
container you can, and that isn't really possible inside a chroot. Of |
32 |
course, you don't have to, but at least you have the option. |
33 |
|
34 |
The biggest selling point for a container is the resource |
35 |
requirements. The overhead to run a container with systemd inside is |
36 |
only a few MB. If you're running a container without a service |
37 |
manager the overhead is even less. You could never run a VM with only |
38 |
a few MB of RAM. The main constraint on RAM use for a container is |
39 |
the fact that you're not sharing libraries with the host. Otherwise |
40 |
they're just processes with different namespace values in the kernel |
41 |
(EVERY process runs in a set of namespaces, even if you're not using |
42 |
containers - by default they just all have the same set of values). |
43 |
Any solution that bundles the libraries with the package is going to |
44 |
use a similar amount of RAM. Also, launching a process in a new |
45 |
namespace takes the same amount of time as launching a process in the |
46 |
same namespace, minus the trivial time required to page in libraries |
47 |
and such. A VM takes seconds to boot, vs the milliseconds for a |
48 |
container. In terms of overhead containers and chroots are almost |
49 |
identical. |
50 |
|
51 |
The biggest selling point for not just running everything on the host |
52 |
is isolation. I have a container that just runs mariadb. When I do |
53 |
an emerge -u world it is like updating any other Gentoo host, but when |
54 |
I'm done I fire off a bunch of tests to make sure mariadb is working, |
55 |
and if it works I know I'm done. When I was running everything on a |
56 |
single host I'd inevitably do an emerge -u world and occasionally have |
57 |
something random break. Short of testing everything every time I do |
58 |
an update it is hard to avoid that sort of thing. Of course, I end up |
59 |
having to run a lot more updates, but I don't have to do them all at |
60 |
once and I can update the container for each service on an appropriate |
61 |
schedule. |
62 |
|
63 |
-- |
64 |
Rich |