undefined | Better HN

0 pointstarruda2y ago0 comments

systemd-nspawn is simple but AFAIK it doesn't do any security other than the kernel namespacing. Docker is even worse because it runs containers as root, which means a rogue process can take over the host very easily.

Incus/LXD runs containers as normal users (by default) and also confines the whole namespace in apparmor to further isolate containerized processes from the host. Apparmor confinement is also used for VMs (the qemu process cannot access anything that is not defined in the whitelist)

0 comments

viraptor2y ago

Docker runs container as the user you tell it to. Same with nspawn. There's not much difference there in that respect.

Nspawn does seccomp-based filtering, similar to the usual systemd services.

j / k navigate · click thread line to collapse

0 pointstarruda2y ago0 comments

0 comments

viraptor2y ago

Docker runs container as the user you tell it to. Same with nspawn. There's not much difference there in that respect.

Nspawn does seccomp-based filtering, similar to the usual systemd services.

j / k navigate · click thread line to collapse