We know that containers are an important new technology (well, at least Linux containers are, there have been similar technologies in existence for some time). Docker based containers, still heavily utilized even in Kubernetes, build on Linux technologies such as cgroups and network namespaces to achieve isolation. However, other technologies can be “plugged in.” We can replace a “Linux container” with any number of technologies that do similar things, including systems that boot virtual machines, such as the OpenStack Foundation’s new technology, Kata Containers.
Thus, if an organization has a specific need for virtual machines, or prefers the isolation they provide, it is quite possible to use them instead of containers, while still using an app image based workflow, as well as a powerful container orchestration engine such as Kubernetes.
Recently James Bottomley, a Distinguished Engineer with IBM research, created the Horizontal Attack Profile (HAP) in an attempt to compare the security of various container runtimes.
One of the biggest problems with the current debate about Container vs Hypervisor security is that no-one has actually developed a way of measuring security, so the debate is all in qualitative terms (hypervisors ‘feel’ more secure than containers because of the interface breadth) but no-one actually has done a quantitative comparison.
Bottomley applies HAP to several container and container like technologies, the list of which is long but not exhaustive: Docker, gvisor, gvisor-kvm, the aforementioned Kata containers, and a new entry from IBM, Nabla containers.
While containers are not new, the industries overall desire to use them is. WIth that desire comes new isolation technologies, thereby blurring the lines between technologies like Docker containers and virtual machines, so much so that we are creating new ways of quantifying their security.