-
Notifications
You must be signed in to change notification settings - Fork 2
Security
Cristian Ariza edited this page Jun 12, 2020
·
1 revision
There is two types of security when we talk about containers:
- Security for applications running inside a container
- Security for applications running outside a container
User namespaces (Docker, LXC) are safer than Dockie/PRoot for case 1. A chroot is easy to escape and you should definitely not run anything fishy inside a Dockie guest. If you do need to run fishy software you may want to have a look at Qubes OS.
On the other side, user namespaces (Docker, LXC) reduce the security for case 1 by making system calls available to a regular user that were not available before. This does not mean that user namespaces are inherently secure but it's something to be careful about. PRoot on the other side does not open any more surface of the kernel than what is already available.