[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Publicity] Docker Open Source Container Virtualization on the Rise

The recent x32 ABI exploit in Linux puts the dangers of depending too much 
trust in containers in sharp relief.

http://www.zdnet.com/low-level-exploit-sends-ubuntu-opensuse-kernel-bug-hunting-7000025872/

Perhaps the simplest thing is to look for a list of recent CVE vulnerabilities 
and highlight which ones would be blocked by Xen, KVM and containers.  I've not 
seen such a list elsewhere on the web.

-anil

On 11 Feb 2014, at 19:36, George Dunlap <george.dunlap@xxxxxxxxxxxxx> wrote:

> There does seem to be a really big push for containers, and I do think we 
> need to think about how to get a counter-message out.
> 
> The basic facts are that containers probably are lower overhead, in terms of 
> memory and cpu overhead, than virtualizing a full OS (though probably not for 
> cloud OSes like OSv or Mirage -- particularly if running in PV or PVH mode on 
> Xen).
> 
> But they are absolutely less secure than hypervisors.  The system call 
> interface is much more porous than the hypervisor interface.  There have been 
> dozens of Linux privilege escalation vulnerabilities through the system call 
> layers over the years: any one of these vulnerabilities would give an 
> attacker control of all containers on the system.
> 
> By contrast, Xen has had only one vulnerability that allows a guest to break 
> into the hypervisor, and that due to a processor bug: and it only worked in 
> PV mode, on Intel boxes.  I don't know what KVM's record is, but I'm sure 
> it's similar.
> 
> So containers are completely inappropriate for a public cloud environment, 
> where users who don't trust each other share the same hardware.  Nor are they 
> appropriate if you want to make sure that successfully attacking one server 
> cannot easily attack other servers.
> 
> The place where they make the most sense is in private clouds, particularly 
> if there aren't any public-facing services, or if the public-facing services 
> are lower value, where security is less critical than performance.
> 
> Just tossing this out there -- would it make sense at all to coordinate with 
> KVM (or even VMWare) people about this?  Are RedHat or Canonical doing 
> anything with containers?  I think the OSv guys should be on-side; 
> particularly if it gives them an opportunity to make a case for their 
> approach.
> 
> -George
> 
> On 02/11/2014 07:08 PM, Sarah Conway wrote:
>> FYI,
>> 
>> Below is VARGuy coverage of the latest Docker release. (1.0 version is
>> expected in April.) With these new releases, supposedly Docker can now
>> "meet the demands of cloud computing and PaaS solutions." They are
>> positioning it as the next logical step for PaaS, pigeon-holing
>> hypervisors as only beneficial to IaaS.
>> 
>> The article goes on to say: "Unlike the virtualization hypervisors that
>> power most virtual servers today, Docker doesn't virtualize an entire
>> operating system. Instead, it provides virtualized application
>> containers that run on top of a "bare-metal" host operating system. By
>> virtualizing at the application level, Docker can offer greater
>> portability, efficiency and security."
>> 
>> http://thevarguy.com/virtualization-applications-and-technologies/021014/docker-open-source-container-virtualization-rise?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheVarGuy+%28The+VAR+Guy%29
>> 
>> An article from Dec. 2013:
>> 
>> http://www.networkworld.com/community/blog/containers-new-hypervisors
>> 
>> Some additional messaging from their web site:
>> 
>> Seven months after launching, the Docker ecosystem is expanding rapidly:
>> Docker has been downloaded over 200,000 times, has received over 7,500
>> Github stars, and is receiving contributions from more than 200
>> community developers. Over 2,500 "Dockerized" applications are now
>> available at the Docker public index, and third party projects and
>> partnerships built on top of Docker span PaaS, operating systems,
>> hosting services, CI platforms, and more. Over 50 user-created case
>> studies are available from companies such as eBay, Cloudflare,
>> Rackspace/Mailgun, Yandex, Cambridge Health Care, and RelateIQ.
>> 
>> I suggest we finesse our messaging against container technologies like
>> Docker, which are gaining traction in the press right now. Feedback from
>> the AB on this point would be appreciated. It will likely be a question
>> that comes up in the near future. We could also try to piggy-back any
>> Docker 1.0 coverage that might be coming out in the April timeframe,
>> offering reporters a counter opinion/view on containers vs.
>> virtualization, etc.
> 
> 
> _______________________________________________
> Publicity mailing list
> Publicity@xxxxxxxxxxxxxxxxxxxx
> http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity
> 


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.