Is the attack surface of Docker vs. LXC/systemd-nspawn significantly different?How do I deal with a...
Store Credit Card Information in Password Manager?
How to indicate a cut out for a product window
Are paving bricks differently sized for sand bedding vs mortar bedding?
Pre-mixing cryogenic fuels and using only one fuel tank
Electoral considerations aside, what are potential benefits, for the US, of policy changes proposed by the tweet recognizing Golan annexation?
Why is it that I can sometimes guess the next note?
Reverse int within the 32-bit signed integer range: [−2^31, 2^31 − 1]
Does an advisor owe his/her student anything? Will an advisor keep a PhD student only out of pity?
Why Shazam when there is already Superman?
What are the purposes of autoencoders?
How can Trident be so inexpensive? Will it orbit Triton or just do a (slow) flyby?
Strong empirical falsification of quantum mechanics based on vacuum energy density
Why can Carol Danvers change her suit colours in the first place?
Did arcade monitors have same pixel aspect ratio as TV sets?
Problem with TransformedDistribution
What prevents the use of a multi-segment ILS for non-straight approaches?
Does a 'pending' US visa application constitute a denial?
Multiplicative persistence
Is this toilet slogan correct usage of the English language?
Why did the EU agree to delay the Brexit deadline?
Is it possible to have a strip of cold climate in the middle of a planet?
C++ debug/print custom type with GDB : the case of nlohmann json library
Can I sign legal documents with a smiley face?
Drawing ramified coverings with tikz
Is the attack surface of Docker vs. LXC/systemd-nspawn significantly different?
How do I deal with a compromised server?Our security auditor is an idiot. How do I give him the information he wants?Running LXC and Docker on the same hostMinimizing attack surface on fresh 2012 R2Is it possible to expose pipe file from docker container?Should I split up an application in multiple, linked, Docker containers or combine them into one?Why do we use a OS Base Image with Docker if containers have no Guest OS?Is it appropriate to use Docker for both long-running and short-running processes together?Pros and cons of using Windows containers instead of Linux containers for Docker?Why is using Ubuntu 18.04 as the docker host about 2x faster than Debian 9?
One decision point in choosing between and application container solution versus an OS container solution is security. I'm not knowledgeable enough to be able to compare and contrast the two. I assume they're different, but is one significantly more open than the other?
security docker lxc containers
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
bumped to the homepage by Community♦ 2 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
One decision point in choosing between and application container solution versus an OS container solution is security. I'm not knowledgeable enough to be able to compare and contrast the two. I assume they're different, but is one significantly more open than the other?
security docker lxc containers
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
bumped to the homepage by Community♦ 2 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
One decision point in choosing between and application container solution versus an OS container solution is security. I'm not knowledgeable enough to be able to compare and contrast the two. I assume they're different, but is one significantly more open than the other?
security docker lxc containers
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
One decision point in choosing between and application container solution versus an OS container solution is security. I'm not knowledgeable enough to be able to compare and contrast the two. I assume they're different, but is one significantly more open than the other?
security docker lxc containers
security docker lxc containers
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
asked Apr 3 '17 at 19:43
Jeff_kaJeff_ka
61
61
bumped to the homepage by Community♦ 2 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 2 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
From a security standpoint, and in my opinion, rkt is worth considering too.
See for example CoreOS's somewhat opinionated comparison of rkt to alternative container systems.
As they point out, docker is now using containerd under the hood, and provides a whole bunch of 'stuff' around the running of containers - I would tend to think the extras are likely to introduce more attack surface than more barebones systems (like containerd).
You should also keep in mind that the security of lots (if not all) the solutions you list is enhanced by a suitably hardened kernel (e.g. PaX), and system (e.g. seLinux).
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f842330%2fis-the-attack-surface-of-docker-vs-lxc-systemd-nspawn-significantly-different%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
From a security standpoint, and in my opinion, rkt is worth considering too.
See for example CoreOS's somewhat opinionated comparison of rkt to alternative container systems.
As they point out, docker is now using containerd under the hood, and provides a whole bunch of 'stuff' around the running of containers - I would tend to think the extras are likely to introduce more attack surface than more barebones systems (like containerd).
You should also keep in mind that the security of lots (if not all) the solutions you list is enhanced by a suitably hardened kernel (e.g. PaX), and system (e.g. seLinux).
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
add a comment |
From a security standpoint, and in my opinion, rkt is worth considering too.
See for example CoreOS's somewhat opinionated comparison of rkt to alternative container systems.
As they point out, docker is now using containerd under the hood, and provides a whole bunch of 'stuff' around the running of containers - I would tend to think the extras are likely to introduce more attack surface than more barebones systems (like containerd).
You should also keep in mind that the security of lots (if not all) the solutions you list is enhanced by a suitably hardened kernel (e.g. PaX), and system (e.g. seLinux).
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
add a comment |
From a security standpoint, and in my opinion, rkt is worth considering too.
See for example CoreOS's somewhat opinionated comparison of rkt to alternative container systems.
As they point out, docker is now using containerd under the hood, and provides a whole bunch of 'stuff' around the running of containers - I would tend to think the extras are likely to introduce more attack surface than more barebones systems (like containerd).
You should also keep in mind that the security of lots (if not all) the solutions you list is enhanced by a suitably hardened kernel (e.g. PaX), and system (e.g. seLinux).
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
From a security standpoint, and in my opinion, rkt is worth considering too.
See for example CoreOS's somewhat opinionated comparison of rkt to alternative container systems.
As they point out, docker is now using containerd under the hood, and provides a whole bunch of 'stuff' around the running of containers - I would tend to think the extras are likely to introduce more attack surface than more barebones systems (like containerd).
You should also keep in mind that the security of lots (if not all) the solutions you list is enhanced by a suitably hardened kernel (e.g. PaX), and system (e.g. seLinux).
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
answered Apr 3 '17 at 20:12
iwaseatenbyagrueiwaseatenbyagrue
3,097718
3,097718
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f842330%2fis-the-attack-surface-of-docker-vs-lxc-systemd-nspawn-significantly-different%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
