I’ve read that standard containers are optimized for developer productivity and not security, which makes sense.
But then what would be ideal to use for security? Suppose I want to isolate environments from each other for security purposes, to run questionable programs or reduce attack surface. What are some secure solutions?
Something without the performance hit of VMs
Docker has an additional issue, but not one unique to docker. Like flatpak, pip, composer, npm or even back to cpan and probably further, as a third-party source of installed software, it breaks single-source of truth when we want to examine the installed-state of applications on a given host.
I’ve seen iso27002/12.2.1f, I’ve seen supply-chain management in action to massive benefit for uptime, changes, validation and rollback, and it’s simplified the work immensely.
If anyone remembers dependency hell - which is always self-inflicted - then this should be Old Hat.
HAVING SAID THAT, I’ve seen docker images loaded as the entire, sole running image, apparently over a razor-thin bmc-sized layer, on very small gear, to wondrous effect. But - and this is how VMware did it - a composed bare micro-image with Just Enough OS to load a single container on top, may not violate 27002 in that circumstance.