[MuffinFlavored]

> From experience I can tell you that Dev-Ops with containers can be a nightmare and a half costing companies heavily.

Why are containers any more dangerous/vulnerable/prone to leaks than deploying say... a standalone REST API not in a container?

[externalreality]

> Why are containers any more dangerous/vulnerable/prone to leaks than deploying say... a standalone REST API not in a container?

Its not about one service, its about n services running on the same resource partitioned hardware. If one gets compromised how likely is that to affect other services running on other partitions. Containers (High, shared kernel), Unikernels (Lower, different kernel, hardware supported isolation - almost like running n different physical machines).

[viraptor]

It's not obvious though. It may be less risk, but you're not eliminating interfaces with a VM. You're replacing them with new ones. With bare processes you've got shared system resources and kernel to attack. With Docker you've got the kernel to attack. With VMs you've got virtual hardware drivers to attack.

We can play with risk estimation, but in practice, both containers and VMs were affected by memory sharing failures already. We know that syscall/ioctl issues exist. And we know that virtualisation issues exist.