Peter Ross <petrosssit@gmail.com> writes:
After all, I still have not come up with something explaining Linux containers and security as clearly as the jail(8) manpage states:
http://www.freebsd.org/cgi/man.cgi?query=jail&apropos=0&sektion=0&manpath=Fr...
The best I could fined so far is http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security
and it gives me the impression: Do not rely on Linux containers, you have to add other measures to make it safe (no root user, SELinux, capabilities etc.)
The slightly longer explanation is: 1. Linux doesn't give you jail(8). Linux gives you the tools to *build* jail(8): cgroups and namespaces. 2. Since about 2009, you can DIY jail(8) out of those components. It's easy to make it work at all. It's hard to make it work securely. 3. Since about 2012, you can just use existing middleware to do (2). 4. If you believe (3) was built by security-nerd kernel experts who always choose security over convenience, then it's "safe". 5. I don't believe that. It's not safe.