|
|
|
|
|
|
by nhaehnle
4186 days ago
|
|
|
If they all run without containers, if one service gets compromised, and a root exploit is found, that's it game over. To be fair, if a kernel-level root exploit is found, it's probably also game over for containers. It's possible to have root exploits that cannot escape containers due to UID virtualization or whatever, but typically(?) root exploits are based on being able to mess with kernel memory, in which case escaping a container should also be possible. |
|
|