[pve-devel] Opinion of Proxmox's Virtualisation Experts regarding: LightVM
Thomas
c.monty at web.de
Sat Nov 11 10:26:26 CET 2017
Hello!
I have received some interesting information regarding LightVM
<http://cnp.neclab.eu/projects/lightvm/>.
In a white paper <http://cnp.neclab.eu/projects/lightvm/lightvm.pdf>
there's a statement related to to pros and cons of
container-based solutions (page 2):
"However, no technology is perfect, and containers are no exception:
security is a continuous thorn in their side. The main culprit is the
hugely powerful kernel syscall API that containers use to interact with
the host OS. This API is very broad as it offers kernel support for
process and thread management, memory, network, filesystems, IPC, and so
forth: Linux, for instance, has 400 dfferent system calls [37], most
with multiple parameters and many with overlapping functionality;
moreover, the number of syscalls is constantly increasing (see figure
1). The syscall API is fundamentally more diffcult to secure than the
relatively simple x86 ABI offered by virtual machines where memory
isolation (with hardware support) and CPU protection rings are sufficient."
[37] MAN page. [n. d.]. Linux system calls list.
http://man7.org/linux/manpages/man2/syscalls.2.html. ([n. d.])
Question:
What is the experts opinion on the statements regarding security
concerns/issues?
Regards
Thomas
More information about the pve-devel
mailing list