On Mon, Mar 2, 2015 at 2:33 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > On 03/02/2015 10:03 AM, Mauricio Tavares wrote: >> On Mon, Mar 2, 2015 at 9:42 AM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: >>> You'd have to get the kernel changed for that "information leak" to be >>> fixed. >>> >>> That said, containers on Linux are not really about security, the >>> whole thing has more holes than a swiss cheese. Maybe one day the >>> security holes can be fixed, but as of now, it's simply not >>> secure. And this "information leak" is certainly the least of your >>> problems... >>> >> What would then be the recommended solution if containers are insecure? > Well we are trying to fix this, but as Lennart says, there are many > holes in the strategy at this > point. I am working on a presentation that talks about different levels > of security. As soon > as you get to Virtualization you get less security. > > I would say running each service on an individual machine is the most > secure. Running Each Service > on a separate VM is the second most, especially if you are using > SELInux/Svirt for separation of your VM's. > Third level is running each Service in a different container, (Again you > want SELinux for some separation). > Fourth is each Service running on the host, (Wrapped with SELinux). > Fifth setenforce 0. Thanks, that is a very good explanation. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
