alt Hacker NewsMaybe I’m missing something but because of this kind of risk, an old fashioned virtual machine feels like a more robust security boundary.
Replies
hun3 • today at 12:26 PM
No, "virtual machine" alone doesn't make things safer.
Shrink your attack surface.
Use a completely locked down seccomp. Use nsjail or gVisor for containers. Use microvm or libkrun for full OS.
Lesser attack surface is what matters. Virtualization is only half of the story.
<always has been meme>
While containers have some useful properties, it was never intended to be, and never really functioned as a strict security boundary. We've duct-taped around that, and it's reasonably good now, but that only goes so far.