tsk<p>⚠️ Just a reminder, folks:</p><p>The "container" movement on Linux emerged as a <u>convenient</u> way to manage different, possibly conflicting settings & dependencies for different apps on a machine. "Security" by sandboxing got tacked on later, and the quality of that isolation remains LOW regardless of all the trendy project names and acronyms that have filled that space.</p><p>Data centers' standard for high security consists of virtual machines (type 1 hypervisors) or separate dedicated hardware. Ain't no way, no how is a successful datacenter going to ask a giant, complex, contorted Linux or BSD (or hybrid Windows or Mac) kernel for sandboxing services to contain threats.</p><p>If you are using containers to enhance security – on any general-purpose machine – make sure they are running as VMs, or as sandboxes <u>on a microkernel</u> (not monolithic) architecture.<br><a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://infosec.exchange/tags/containers" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>containers</span></a> <a href="https://infosec.exchange/tags/hypervisors" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hypervisors</span></a> <a href="https://infosec.exchange/tags/microkernel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>microkernel</span></a></p>