Hacker News new | past | comments | ask | show | jobs | submit login
OS for Secure Containers?
7 points by nicecars 16 days ago | hide | past | favorite | 6 comments
If I need to isolate containers, which is the best OS for containers when security is important: Bottle Rocket, Container Optimized OS or Flatcar and PhotonOS? And why is that? What features, for example, are they protected by?



Going to toot my own horn here but if you're looking for something like a container with a security focus that is precisely what https://nanos.org was built for. No users, no login/ssh, no ability to run other programs other than the one that is already running. It kills off entire CWE's such as CWE-77/CWE-78 and neutralizes a large amount of nasty payloads forcing attackers to put in the work. It has all the same security features you'll find in linux (aslr, stack exec off, rodata no exec, etc.) but more.

A go unikernel deployed in this manner might have 5 files on the fs so you don't have a half-dozen interpreters or live off the land binary type stuff. Beware though that not all unikernels are built the same way and don't share the same security profiles as nanos.

At the end of the day though if security is a driving force containers are simply not built for that. Just the other day CVE-2024-45310 landed and a few weeks ago we had CVE-2024-42472 in flatpak (a continuation of the bubblewrap stuff).

People are probably going to jump in here and mention gvisor and firecracker. Note that firecracker is really a machine monitor replacement and most payloads are still running a linux guest (although nanos can work here). Gvisor does deal with the security issue well enough but at the cost of performance if you don't have access to hw virtualization.


It's very helpful! Thanks! But is this a single unikernel? Or is it a management of them?


Nanos is the actual kernel while ops (https://ops.city) is the build/deploy tool. I presume you're asking if this is doing "orchestration" - that is more of a container term. These get deployed as actual vms so all the orchestration stuff is performed by the cloud.



Xen


It's more than just Xen: for example only quarter of Xen CVEs affect Qubes: https://www.qubes-os.org/security/xsa/#statistics. Also the UX is great.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: