undefined | Better HN

0 pointslolinder1y ago0 comments

> Why do I have to elaborate?

Because some of us have never heard of devcontainers as a named concept with its own spec until now. I've been running my dev servers inside containers for a long time now (using JetBrains IDEs!), but have never heard of this before.

> It is well known that a container offers a sandbox and process isolation.

No, actually, it's well known that containers don't do that. It's one of the first things you learn when you start learning about containers—they are not virtual machines and are not suitable for running untrusted code, because they share a kernel with the host.

I just read through the introduction to devcontainers and there are lots of benefits it discusses but security isn't one of them:

https://containers.dev/

0 comments

OutOfHere1y ago

> security isn't one of them

Oh but it is. If there is harmful data-stealing software running in the container, it will remain isolated to the container. And if the kernel is shared with the host, that's a read-only share.

simion3141y ago

>Oh but it is. If there is harmful data-stealing software running in the container, it will remain isolated to the container. And if the kernel is shared with the host, that's a read-only share.

And what protects the production server when you deploy the evil packages?

fragmede1y ago

> remain isolated to the container.

Assuming the code that implements the containerization is 100% bug free and there are no container escapes. I would not bet my user's safety purely on that assumption.

acdha1y ago

This is as useful as saying that seat belts do not make you safer because people still die in crashes. Containers are not perfect but if you’re starting from the conventional position where you’re one wrong package install away from an attacker having arbitrary access to your account and data, they’re a significant immediate improvement and a good foundation for further improvement.

OutOfHere1y ago

Yes, exactly. JetBrains fanboys will prefer to remain blind to it, however, not realizing that the free version of JetBrains isn't competitive anymore against VSCode.

1 more reply

lolinderOP1y ago

I think you're missing my point: you are saying that it is one of the benefits, but they don't because it isn't one. Containers are not a security solution for running untrusted code. You saying they are does not make it so.

> And if the kernel is shared with the host, that's a read-only share.

No, it's not, the kernel is reading and writing files constantly for the container. A bug in the kernel could be exploited to break the sandbox, which isn't possible in a true VM.

OutOfHere1y ago

There is no such thing as perfect security. Partial security is much better than none at all. Containers go a long way in this regard. All code is untrusted.

lolinderOP1y ago

> Partial security is much better than none at all.

Only if you don't let down your guard because it's "secure". Again, there's a reason why they don't claim it's secure and everyone says to not treat containers as a sandbox.

1 more reply

j / k navigate · click thread line to collapse

0 comments

OutOfHere1y ago

> security isn't one of them

Oh but it is. If there is harmful data-stealing software running in the container, it will remain isolated to the container. And if the kernel is shared with the host, that's a read-only share.

simion3141y ago

>Oh but it is. If there is harmful data-stealing software running in the container, it will remain isolated to the container. And if the kernel is shared with the host, that's a read-only share.

And what protects the production server when you deploy the evil packages?

fragmede1y ago

> remain isolated to the container.

Assuming the code that implements the containerization is 100% bug free and there are no container escapes. I would not bet my user's safety purely on that assumption.

acdha1y ago

OutOfHere1y ago

Yes, exactly. JetBrains fanboys will prefer to remain blind to it, however, not realizing that the free version of JetBrains isn't competitive anymore against VSCode.

1 more reply

lolinderOP1y ago

> And if the kernel is shared with the host, that's a read-only share.

No, it's not, the kernel is reading and writing files constantly for the container. A bug in the kernel could be exploited to break the sandbox, which isn't possible in a true VM.

OutOfHere1y ago

There is no such thing as perfect security. Partial security is much better than none at all. Containers go a long way in this regard. All code is untrusted.

lolinderOP1y ago

> Partial security is much better than none at all.

Only if you don't let down your guard because it's "secure". Again, there's a reason why they don't claim it's secure and everyone says to not treat containers as a sandbox.

1 more reply

j / k navigate · click thread line to collapse