Hacker News new | ask | show | jobs
by SomaticPirate 6 days ago
What is firecracker needed? Couldn’t this just run in a container directly? I understand some of the isolation concerns but a browser and container breakout is a billion dollar CVE, no?
3 comments
arianvanp 6 days ago
If you follow the kernel mailing list container breakout exploits are currently a weekly occurrence
link
gregpr07 6 days ago
Oh really, not a security expert, but could you send me some examples?
link
rvz 6 days ago
https://copy.fail
link
hnav 5 days ago
Though it is true that bleeding edge browsers are fairly secure.
link
flaminHotSpeedo 5 days ago
Most mature and/or security conscious providers don't consider containers to be a secure isolation boundary (with Microsoft being a notable exception, though it's unclear whether that's a failure of internal policy or incompetent enforcement of policy).

Containers provide a much broader attack surface than VM's, and since they're not considered secure as an industry standard there's likely to be less resources put towards managing container escape CVE's than VM escape ones.

link
y2244 5 days ago
But everyone is running containers on Kubernetes?
link
WhyNotHugo 6 days ago
You can take a snapshot of a microVM and roll back. I've never heard of this being done with containers.
link
hnav 5 days ago
You can have a volume mount into your container backed by whatever block storage which may have snapshotting or format with a FS that supports snapshots.
link
saltmate 5 days ago
The VM snapshot/load is about memory, not storage.
link