
Containers, Security and Echo chambers - merlinsbrain
https://blog.jessfraz.com/post/containers-security-and-echo-chambers/
======
dvfjsdhgfv
The problem with the security of containers doesn't have much to do with
mandatory access control and similar mechanisms: it lies with the fact that
you get a huge pile of software, a whole operating system to inspect, whereas
the software in question is just a tiny bit of it. You need to trust the
people who created the app as being competent enough to crate the app without
errors, but also trust that they made no mistake in configuring the whole rest
of the system that you would normally set up yourself. Having AppArmor/SELinux
or not doesn't change much here as practically anything can be broken, and
your task as a security officer working for a company using Docker images is
an order of magnitude more difficult.

~~~
AstralStorm
Well. The flipside is that you can get a security oriented well configured
virtual machine instead and ignore all this Docker thing that is no better at
anything security than plain Linux kernel. (While still using, say, Kubernetes
to manage it.)

------
mtgx
Why doesn't Docker enable namespaces by default, as LXC 2.0 does?

