Are containers less secure than VMs?

I keep hearing that VMs are more secure than containers.

Surely, if a container runs unprivileged, there is no way for any process to access the host, right?

So then why are VMs considered more “secure”?

VMs are effectively hardware enforced and run their own firmware & kernel.

This means that while in a container you can use a kernel bug to bypass confinement and get full root access on the system, the same isn’t generally true inside a VM as gaining control of the VM’s kernel doesn’t really get you anything.

That said, hypervisor and hardware bugs are also a thing which you can exploit to take control of the host from within a VM.

Nothing’s perfect and both approaches have their potential security concerns, some actually use both by running unprivileged containers inside a per-tenant VM, making it that much harder to take full control of the system.

Great explanation. Thanks.

So, only by exploiting bugs in the kernel, it is possible to gain control of the host. So then it would be a good idea to have the latest Linux kernel in the host? Like 5.7.x? Assuming the latest version of the kernel has fixed all known security holes?

Your Linux distribution (such as Ubuntu) takes care of security issues for the Linux kernel. A distribution does not run the latest version of the Linux kernel but sticks to a version and backports any security fixes that have been made available. That is, when you run Ubuntu 18.04 LTS, your default Linux kernel is Linux 4.15+all_security_fixes.

In addition, both the host and the containers have enabled unattended-upgrades for security updates. This means that when a security update is made available, it is applied automatically.

You do need to look out for security updates for the Linux kernel (for the host, obviously), because there are not applied automatically. See https://ubuntu.com/security/notices and subscribe to either the RSS feed or the mailing list to get immediate notice of an available Linux kernel update. Note that there is also the option of the LivePatch Service (https://ubuntu.com/livepatch) that updates the kernel without rebooting, therefore the whole security maintenance is really trouble-free. The LivePatch Service is free for three (I think) hosts.

1 Like

Right, I actually gave a talk on this topic at the Open Source Summit a month or so ago, unfortunately the recording will only hit Youtube in a year or so…

This was going over what we do for security for https://linuxcontainers.org/lxd/try-it

Short version is, strict limits on everything to avoid DoS, use security.isolated, never use security.privileged, apply system updates very frequently, immediately reboot on kernel update if you don’t have access to kernel live patching.

So the goal is to restrict the attack surface as much as possible and then ensure that any security fix is installed promptly.

2 Likes