On Fri, Sep 06, 2013 at 09:10:24PM +0200, 80 wrote: > No, it's less secure than kvm but it still provides better isolation > than a mere chroot.
It doesn't matter if it's more secure than a chroot, because that's not what we're talking about. This is about whether you want random-person-off-the-internet to upload any software they like and run it on your server, and you *do not* want to do that with either a chroot or a Linux container [even if OpenShift got away with it]. And ... > Secure containers as dwalsh described is a worthy improvement. ... SELinux labels will not make that situation any better, because an exploit somewhere in the large kernel API bypasses SELinux. Dan Walsh's two replies are much more nuanced than you understand. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
