But you assume that a container HAS full network access.
A firewall must be configured, but a firewall must be configured for a VM too.
My point is, that their is not so a huge difference for production systems.
>> But you assume that a container HAS full network access.
No, I'm presuming it has some sort of network access, a malicious container could (for instance) still probe other containers for vulnerabilities, serve malware etc etc without full network access.
>> A firewall must be configured, but a firewall must be configured for a VM too. My point is, that their is not so a huge difference for production systems.
If you're downloading VM images from somewhere and running them without checking what's in them you'll run into the same problem, sure.
The problem being pointed out here is that when applications are bundled outside of the purview of a packager like debian you -
- don't have as much trust in the origin of the app
- don't have an easy way to keep up on library patchlevels etc for security
No, I'm presuming it has some sort of network access, a malicious container could (for instance) still probe other containers for vulnerabilities, serve malware etc etc without full network access.
>> A firewall must be configured, but a firewall must be configured for a VM too. My point is, that their is not so a huge difference for production systems.
If you're downloading VM images from somewhere and running them without checking what's in them you'll run into the same problem, sure.
The problem being pointed out here is that when applications are bundled outside of the purview of a packager like debian you -