Container security on NS8

While reading and informing myself: docker vs. virtual maschine

Just for me to understand: Docker containers share the host kernel. The container technology has access to the kernel subsystems; as a result, a single infected application is capable of hacking the entire host system. And vice versa.

It won’t be fair to compare Docker and virtual machines since they are intended for different use. Docker, no doubt is gaining momentum these days, but they cannot be said to replace virtual machines. In spite of Docker gaining popularity, a virtual machine is a better choice in certain cases. Virtual machines are considered a suitable choice in a production environment, rather than Docker containers since they run on their own OS without being a threat to the host computer. But if the applications are to be tested then Docker is the choice to go for, as Docker provides different OS platforms for the thorough testing of the software or an application.

Wrong? Good enough to build a server? I don’t like testing on a production server.

1 Like

…and this is worse than NS7 how?

Under NS7, there is no containerization*, no separation of applications in any way. The only thing keeping one application from clobbering another is filesystem permissions. They share all of the system’s resources.

With Docker containers, whether they’re being run using Docker, kubernetes (or any of its variants), podman, or whatever, there is some measure of isolation. Yes, it’s less isolation than would be present with VMs–but it’s also less overhead and less complexity to manage. And pretty much nobody is distributing applications as VM applicances that you’d spin up to run the application, whereas much of the world are distributing their applications as Docker containers (and often only as Docker containers).

Compared to NS7, NS8 reduces vulnerability to a rogue application. It doesn’t eliminate it, but it’s nonetheless a step in a more secure direction.

*Sure, you can install Docker, Portainer, whatever on NS7, but it doesn’t ship with these tools, and none of its modules use these tools–it’s all natively installed software.

Yes, it’s less isolation than would be present with VMs–but it’s also less overhead and less complexity to manage.

It’s meant to be a server. Hardware (for me) is no more an argument (I remember the costs for a 10 MB! harddrive in the 80’s).

What exactly do you mean by “less complexity” to manage? Playground is elsewhere - for me not in a production environment.

O.k., this is OT from the OP. I stop here.

What single interface do you have to manage the software running on a half-dozen VMs? I’m not aware of one. You’d instead need to log into each VM separately and do whatever you need to do there.

With NS8, management of the individual containers/applications is done through the cluster-admin page. You can set up virtual hosts for the web server, configure metrics storage using Grafana and Prometheus, install and configure Nextcloud, and set up DokuWiki (just to name a few examples), all through a single interface.

And, of course, this (as far as I’ve described it) isn’t anything new with containers; Portainer and Rancher have been doing this for years, as I’m sure have other projects. So that’s why I say they’re less complex to manage than VMs.

I agree with you (with reference to the topic I split these posts from) that divorcing “NS8” from the underlying OS–meaning that NS8 provides zero ability to administer the underlying OS, in terms of software updates, or even shutting down or rebooting the system–seems like a bad move. But to complain about a perceived lack of security of containers, when you’re currently using NS7, just seems silly.

2 Likes

Besides your argument - IMVHO the title of the splitted thread should be Server security and stability with NS8

It’s broader than container security! I feel I’m not getting the point.

What are your concerns? What are your proposals?

I’d echo Davide’s question (“what are your concerns?”), and add to it: compared to what? And I think the most relevant comparison would be to NS7, since that’s what (AFAIK) you’re currently using, and that’s almost certainly going to be the devs’ base of comparison. Thus the question would be, what are you concerned about in NS8 (in terms of security and stability, apparently), compared to NS7?

If you think a different comparison would be better, then say so, and then address the question in that context. But right now, the concerns you’ve expressed are very vague and frankly impossible to address (either to refute, to confirm, or to fix).

Hi @schulzstefan , @danb35

The reasons given are about the same sounding as someone going to an airline ticket counter (or here in Europe a train ticket booth at the local station) and requesting a ticket:

The traveller:
“I need a ticket, first class.”

The Agent:
Yes, but to where?

The traveller:
That’s none of your business, I consider that an affront on my privacy concerns!

i think all will agree, that this guy, with his current mindset, is simply not going to get a ticket. End of story…

My 2 cents
Andy

Just to put a slightly different perspective on it: Yes, there are containerization vulnerabilities that pose risks. There are also hypervisor vulnerabilities (virtual machines) that allow guest VMs to access the host and other VMs. No technology is risk-free; that’s why regular maintenance and upgrades are important no matter what is being used.