Slashdot Mirror

← Back to Stories (view on slashdot.org)

Containers or Virtual Machines: Which is More Secure? (zdnet.com)

Posted by msmash on from the digging-deeper dept.

Are virtual machines (VM) more secure than containers? You may think you know the answer, but IBM Research has found containers can be as secure, or more secure, than VMs. From a report: James Bottomley, an IBM Research Distinguished Engineer and top Linux kernel developer, writes: "One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors 'feel' more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison." To meet this need, Bottomley created Horizontal Attack Profile (HAP), designed to describe system security in a way that it can be objectively measured. Bottomley has discovered that "a Docker container with a well crafted seccomp profile (which blocks unexpected system calls) provides roughly equivalent security to a hypervisor."

2 of 90 comments (clear)

  1. Re:Jails? by Anonymous Coward · · Score: 2, Interesting

    Jails on ZFS. Nothing better. Unless, of course, you can afford an IBM Z-series mainframe.

  2. This. I'll have real-world data next month by raymorris · · Score: 5, Interesting

    Exactly. An ideal container, perfectly configured and perfectly implemented, with a more-secure but less- convenient settings, would be -
    Well it would be non-existent, because shit ain't perfect. If things in the real world were perfect, security wouldn't be much of an issue.

    I'll have hard data in real-world containers and VMs next month. My company (Alert Logic) just released a suite of security services for containers so we will be able to tell exactly how often, and in which ways, our customers actual containers are breached, and what vulnerabilities they actually have. I can cross-reference that data with VMs in my database.

    Based on decades of experience, I expect the data will show that VMs are more secure. I also expect the data will show that what you put IN the container or VM is far more important than whether you put it in a VM or container. Stupid in a VM is stupid, stupid in a container is stupid. Containers can use less RAM, though.

    Someone mentioned chroot, which is the basic system call behind containers. Chroot is not a security tool. Chroot was not designed for security. Chroot does not provide security of any kind. Leaving chroot is as simple as chrooting again:

    mkdir foo; chroot foo; cd ..

    Chroot is useful for cross-compiling and certain other tasks related to developing software. It was created for the purpose of compiling and testing BSD4.2 before it was ready for release. Bill's machine ran 4.1, he could switch to 4.2 versions of the files by running chroot. (And could go back to the 4.1 system by simply running chroot again)