[wolttam]

I just don't trust the Linux kernel to effectively isolate processes anymore. Don't care if you're using user namespaces, seccomp, etc. There will be a bug.

Time for Micro VMs, they're a stronger security boundary (not perfect, stronger)

[Apes]

You can't really do anything useful with a VM either unless you start punching holes in those boundaries.

[wolttam]

I didn't say run in an air-gapped VM... Just as a means to better isolate the workloads I have running (some less trusted than others). Network connectivity and the associated vulnerabilities obviously remain.

[Apes]

No argument against VMs - just that they have a different risk profile and a different set of trade-offs than containers. They're not a silver bullet, but if they're working for you, then go for it.

[esseph]

Exactly.

If your VM can't do anything, it's probably not very useful.

Doing things meaning reading / writing files, communicating between VMs, services, etc.

[m463]

what about selinux?