Hacker News new | ask | show | jobs
by binarycrusader 4360 days ago
I am not repeatedly missing what Docker does; all I'm pointing out is that Docker is currently insufficient as a true isolation solution from a security and/or other perspectives.

Again, I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.
1 comments
evol262 4360 days ago
>I am not repeatedly missing what Docker does

>I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.

Yes, you are. Docker is not currently and is not trying to be a "general container solution". Again, that's LXC.

But "X is currently insufficient as 'true isolation'" is inane. libcontainer is built on top of kernel cgroups. Docker can be wholly isolated with selinux:

http://www.mankier.com/8/docker_selinux

You don't know what Docker does, you don't know what it's built on, you don't know how cgroups work, and you're entirely ignoring selinux.

Please stop.

link
binarycrusader 4360 days ago
I'm done here. I agree to disagree. I still believe you are wrong and I did not claim Docker was a general container solution. You don't know how Solaris Zones work, because if you did, you'd understand that cgroups are insufficient to provide the same level of security.
link
evol262 4359 days ago
> I still believe you are wrong and I did not claim Docker was a general container solution

>I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.

>Docker doesn't provide the full security isolation that Solaris Zones does; I'm sure it's the right style of solution for specific cases, but it is not an appropriate general solution for isolation or containerisation.

Tell yourself whatever you need to.

>You don't know how Solaris Zones work, because if you did, you'd understand that cgroups are insufficient to provide the same level of security.

Which is why I also mentioned (and even linked you to the documentation for) docker_selinux, which is actually security instead of mere process isolation through namespaces and resource control (which are what cgroups do). Incidentally, this is the same way non-labeled zones work, but I guess I don't know anything about those.

Think whatever you want.

link