Slashdot Mirror

← Back to Stories (view on slashdot.org)

Containers or Virtual Machines: Which is More Secure? (zdnet.com)

Posted by msmash on from the digging-deeper dept.

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs. From a report: James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

7 of 90 comments (clear)

  1. mayor container developer says containers are secu by Anonymous Coward · · Score: 3, Insightful

    should we be surprised?

    Btw almost no one maintains good seccomp profiles, it is too cumbersome.

    VMs give you better out of the box security than out of the box containers, and he probably knows it.

  2. "container with a well crafted seccomp profile" by Anonymous Coward · · Score: 5, Insightful

    "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

    Hypervisor it is, then!

    Seriously - if your security depends on something being "well crafted", you might as well have no security - because eventually, it won't be "well crafted" - somebody will screw it up.

    1. Re:"container with a well crafted seccomp profile" by Spazmania · · Score: 4, Insightful

      VMs and Containers (e.g. Docker) are exactly as secure as the software you install inside of them.

      Most developers who like containers like them because they don't have to use the OS versions of Apache or whatever and aren't stuck dealing with the sysadmin constantly breaking things with his security updates.

      The containers these developers build tend to be woefully insecure.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
  3. Answer by 110010001000 · · Score: 5, Insightful

    Answer: Neither. Intels CPU bugs have made it possible to break both.

  4. Containers by definition are not more secure... by snapsnap · · Score: 4, Insightful

    than virtual machines. Why is this even a question?

  5. Re:Jails? by Anonymous+Brave+Guy · · Score: 4, Insightful

    chroot is to security as RAID is to backups.

    --
    If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  6. Re: mayor container developer says containers are by lgw · · Score: 3, Insightful

    You're worried that hackers can get to one VM, but it's important that the other VM is super-secure, yet you don't run them on different hardware? Pretty odd.

    --
    Socialism: a lie told by totalitarians and believed by fools.