undefined | Better HN

0 pointstptacek9mo ago0 comments

They don't work as reliable security boundaries; they're developer/ops tools.

0 comments

Thomas, what are your thoughts on micro-vms such as kata containers? You can use them as a backend for docker in place of runc.

I'm sure you're well aware, but for the readers, they are isolated with a CPU's VT instructions which are built to isolate VMS. I still think "containers don't contain" in a very Dan Walsh boston accent, but this seems like a respectable start.

https://katacontainers.io

tptacekOP9mo ago

I have no strong opinion other than that untrusting cotenants shouldn't directly share a kernel.

burnt-resistor9mo ago

They're slow and so unsuitable for dev work. They might be somewhat better for prod, but it depends on a wide selection of unproven hypervisors.

tptacekOP9mo ago

Which "unproven" hypervisors are those? Kata works with Firecracker.

2 more replies

j / k navigate · click thread line to collapse

0 comments

SEJeff9mo ago

Thomas, what are your thoughts on micro-vms such as kata containers? You can use them as a backend for docker in place of runc.

https://katacontainers.io

tptacekOP9mo ago

I have no strong opinion other than that untrusting cotenants shouldn't directly share a kernel.

burnt-resistor9mo ago

They're slow and so unsuitable for dev work. They might be somewhat better for prod, but it depends on a wide selection of unproven hypervisors.

tptacekOP9mo ago

Which "unproven" hypervisors are those? Kata works with Firecracker.

2 more replies

j / k navigate · click thread line to collapse