I think there's a somewhat fine distinction to be made, here. An analogy is chro... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		khafra 9 months ago \| parent \| context \| favorite \| on: Making a parallel Rust workload 10x faster with (o... I think there's a somewhat fine distinction to be made, here. An analogy is chroot. It's not a "security tool," and there are many ways to break out of a chroot jail, but it does provide some isolation, and that does provide a measure of security. If you run an application inside a container, and you have that container well-configured, it's going to be harder for someone with an RCE on that application to affect the rest of your system than if you weren't running that application in a container. But a container does not provide a security boundary in the same sense as the security boundary between kernel mode and user mode.

CGamesPlay 9 months ago [–]

Are you sure? I think it does provide a security boundary in a very analogous way to kernel/user mode. There are lots of ways to punch holes in that security boundary, but by default Docker provides, as far as I understood, a security boundary from the rest of the system and from other containers.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact