Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Isolation doesn't mean secure. Some containerisation solutions are designed to provide a security mechanism. Other containerisation solutions, such as Docker, are designed as a development and/or orchestration tool.

I do agree that a it's important to have defence in depth




His statement was: "but containers and Docker specifically shouldn't be used to isolate systems for security".

Well, thousands of companies, such as ISPs offering VPS are using containers for exactly that reason. Containers use cgroups under the hood, a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, disk I/O, network, etc.) of a collection of processes. As long as there aren't any bugs in the kernel related to cgroups, security is provided.

Saying containers shouldn't be used for security is like saying kernel functions shouldn't be used for security.


I'm not suggesting all containers shouldn't be used for security. I'm just saying docker - specifically - isn't an isolation tool that's was designed primarily as a security tool. There are other solutions on Linux if you want security - such as LXC and OpenVZ - which I suspect is what those ISPs you're referring to use.

The problem with docker isn't at the kernel level, it's the userspace tooling. It's pretty insecure by default. For example it creates bridged networks as the default network interface and actively encourages (by design) developers to run code as root (since creating non-root users then becomes a manual RUN command). Then you have vulnerabilities in the user space tools to contend with in addition to the same concerns about sharing a kernel that crop up when discussing security and containerisation. That said, there are some stuff it does right from a security standpoint but generally speaking docker is a tool you need to harden rather than something that comes hardened.

I don't hate docker though. It's a great productivity tool and it can be run securely if you have proper defence of depth. But I would advise against running docker as your only sandboxing. To be honest, I'd advise security at all levels regardless of the docker discussion anyway.


Huh? Most VPSes are virtual machines (likely KVM, possible Xen, based), and are not using Docker at all.


You do get container-based VPSes too. Though you're right they wouldn't be docker. Usually OpenVZ (last time I checked) but I've not kept up to date with LXC development.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: