[bombcar]

This is perhaps the best arguments I’ve seen for a separate firewall device even if it’s in the cloud (and just software) - something on your box running as root may bypass your rules just to help you.

[eru]

Alternatively, running all your services as VMs also helps.

Having root in a VM doesn't typically give you any rights on the hypervisor (at least not on eg Xen).

[ahepp]

Well, if they get root on your mongo vm they can still drop all your tables (or ransomware you) right? So would it make a difference in this particular case? Outside the VM tooling probably not being so insane as to bypass the firewall?

[eru]

Well, in this case docker was trying to be helpful.

On a hypervisor, it's much harder for VMs to influence each other.

Linux containers (and docker amongst them) started out as convenient and reasonably performant, and added security later. One patch at a time.

Historically, hypervisors typically started secure and added performance and convenience over time.

(Very simplified. But I used to work for XenSource back in the day.)