Hacker News new | past | comments | ask | show | jobs | submit login

Simplistically: if you deploy to Linux, Docker provides 90%+ of the benefits of virtualization without the performance penalty.



And without the security benefits of proper virtualisation, too. At least lxc since recently has the ability to run containers as a regular user, but I'll stick to KVM guests secured with MLS policies for now.


Why not combine the two and get the value of both? And, a reminder, you can still use LXC with Docker. It's fully supported.


Because the guests have their own SELinux policies. Docker containers don't come with policies, but if it would support running containers under a user account I could at least restrict each to their own category so that theoretically a chmod -R 777 / (inside a container) and access to the host wouldn't compromise other containers (unless the kernel is exploitable, in which case KVM would still win).


Maybe we're talking past each other here, but, Dan Walsh, author of SELinux, is working to bring SELinux natively to libcontainer / docker.

I'd love to talk more about your needs and how we can help. My email is always open - nick@docker.com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: