I’ve read that standard containers are optimized for developer productivity and not security, which makes sense.
But then what would be ideal to use for security? Suppose I want to isolate environments from each other for security purposes, to run questionable programs or reduce attack surface. What are some secure solutions?
Something without the performance hit of VMs
All recent CPUs have native virtualization support, so there’s close to no performance hit on VMs.
That being said, even a VM is subject to exploits and malicious code could break out of the VM down to its hypervisor.
The only secure way of running suspicious programs starts with an air-gaped machine, a cheap hdd/ssd that will go straight under the hammer as soon as testing is complete. And I’d be wondering even after that if maybe the BIOS might have been compromised.
On a lower level of paranoia and/or threat, a VM on an up-to-date hypervisor with a snapshot taken before doing anything questionable should be enough. You’d then only have to fear a zero day exploit of said hypervisor.
Each VM needs a complete OS, though. Even at 100% efficiency, that’s still a whole kernel+userspace just idling around and a bunch of caches, loaded libraries, etc. Docker is much more efficient in that regard.
And LXC even more efficient in that regard.
Docker does load a bunch of stuff that most people don’t need for their project.
I don’t know why LXC is always the red-headed stepchild. It works wonderfully.