Thierry Carrez <thie...@openstack.org> writes: > You make a good point when you mention "traditional distro" here. I > would argue that containers are slightly changing the rules of the > don't-run-as-root game. > > Solution (2) aligns pretty well with container-powered OpenStack > deployments -- running compute nodes as root in a container (and > embracing abovementioned simplicity/performance gains) sounds like a > pretty strong combo.
This sounds at least a little like a suggestion that containers are a substitute for the security provided by running non-root. The security landscape around containers is complex, and while there are a lot of benefits, I believe the general consensus is that uid 0 processes should not be seen as fully isolated. >From https://docs.docker.com/articles/security/ : Docker containers are, by default, quite secure; especially if you take care of running your processes inside the containers as non-privileged users (i.e., non-root). Which is not to say that using containers is not a good idea, but rather, if one does, one should avoid running as root (perhaps with capabilities), and use selinux (or similar). -Jim __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev