[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Publicity] Docker Open Source Container Virtualization on the Rise



There does seem to be a really big push for containers, and I do think we need to think about how to get a counter-message out.

The basic facts are that containers probably are lower overhead, in terms of memory and cpu overhead, than virtualizing a full OS (though probably not for cloud OSes like OSv or Mirage -- particularly if running in PV or PVH mode on Xen).

But they are absolutely less secure than hypervisors. The system call interface is much more porous than the hypervisor interface. There have been dozens of Linux privilege escalation vulnerabilities through the system call layers over the years: any one of these vulnerabilities would give an attacker control of all containers on the system.

By contrast, Xen has had only one vulnerability that allows a guest to break into the hypervisor, and that due to a processor bug: and it only worked in PV mode, on Intel boxes. I don't know what KVM's record is, but I'm sure it's similar.

So containers are completely inappropriate for a public cloud environment, where users who don't trust each other share the same hardware. Nor are they appropriate if you want to make sure that successfully attacking one server cannot easily attack other servers.

The place where they make the most sense is in private clouds, particularly if there aren't any public-facing services, or if the public-facing services are lower value, where security is less critical than performance.

Just tossing this out there -- would it make sense at all to coordinate with KVM (or even VMWare) people about this? Are RedHat or Canonical doing anything with containers? I think the OSv guys should be on-side; particularly if it gives them an opportunity to make a case for their approach.

 -George

On 02/11/2014 07:08 PM, Sarah Conway wrote:
FYI,

Below is VARGuy coverage of the latest Docker release. (1.0 version is
expected in April.) With these new releases, supposedly Docker can now
"meet the demands of cloud computing and PaaS solutions." They are
positioning it as the next logical step for PaaS, pigeon-holing
hypervisors as only beneficial to IaaS.

The article goes on to say: "Unlike the virtualization hypervisors that
power most virtual servers today, Docker doesn't virtualize an entire
operating system. Instead, it provides virtualized application
containers that run on top of a "bare-metal" host operating system. By
virtualizing at the application level, Docker can offer greater
portability, efficiency and security."

http://thevarguy.com/virtualization-applications-and-technologies/021014/docker-open-source-container-virtualization-rise?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheVarGuy+%28The+VAR+Guy%29

An article from Dec. 2013:

http://www.networkworld.com/community/blog/containers-new-hypervisors

Some additional messaging from their web site:

Seven months after launching, the Docker ecosystem is expanding rapidly:
Docker has been downloaded over 200,000 times, has received over 7,500
Github stars, and is receiving contributions from more than 200
community developers. Over 2,500 "Dockerized" applications are now
available at the Docker public index, and third party projects and
partnerships built on top of Docker span PaaS, operating systems,
hosting services, CI platforms, and more. Over 50 user-created case
studies are available from companies such as eBay, Cloudflare,
Rackspace/Mailgun, Yandex, Cambridge Health Care, and RelateIQ.

I suggest we finesse our messaging against container technologies like
Docker, which are gaining traction in the press right now. Feedback from
the AB on this point would be appreciated. It will likely be a question
that comes up in the near future. We could also try to piggy-back any
Docker 1.0 coverage that might be coming out in the April timeframe,
offering reporters a counter opinion/view on containers vs.
virtualization, etc.


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.