[tptacek]

"Avoid shared-kernel attack surfaces" is not an unreasonable proposition in 2026.

[JackSlateur]

Virtual machines are still the best design and has been for something like 20 years

Containers are good, as long as they all share the same purpose (read: same application, no multi-tenant)

We all know that multi-users systems (and thus, containers) have a very wide attack surface, while VM attack surface is very limited ..

This is why I am totally convinced that:

  - redhat and friends are a terrible idea (licencing forces collocation which reduces segmentation)
  - per-instance pricing (read: cloud public, but not only that) are terrible: for the same reason. Paying per consumed CPU/ram is sane, paying per VM unit is damageful

[angry_octet]

Yes that is reasonable, but dispensing with all on machine controls is not.

[0123456789ABCDE]

isn't root level access one of the selling points of the cloud vm product line?

[angry_octet]

That doesn't mean you should run your services as root, it means other users are not sharing your machine/ kernel.

[__float]

It is very good practical advice.

It also saddens me greatly, imagining what computing could look like if systems evolved differently.