|
|
|
|
|
|
by binarycrusader
4360 days ago
|
|
|
I'm done here. I agree to disagree. I still believe you are wrong and I did not claim Docker was a general container solution. You don't know how Solaris Zones work, because if you did, you'd understand that cgroups are insufficient to provide the same level of security. |
|
|
>I'm sure Docker is appropriate for some specific situations, but it is not currently an appropriate general container solution if you care about security.
>Docker doesn't provide the full security isolation that Solaris Zones does; I'm sure it's the right style of solution for specific cases, but it is not an appropriate general solution for isolation or containerisation.
Tell yourself whatever you need to.
>You don't know how Solaris Zones work, because if you did, you'd understand that cgroups are insufficient to provide the same level of security.
Which is why I also mentioned (and even linked you to the documentation for) docker_selinux, which is actually security instead of mere process isolation through namespaces and resource control (which are what cgroups do). Incidentally, this is the same way non-labeled zones work, but I guess I don't know anything about those.
Think whatever you want.