Open Stack

Thierry Carrez <thierry at openstack.org> writes:

> You make a good point when you mention "traditional distro" here. I
> would argue that containers are slightly changing the rules of the
> don't-run-as-root game.
>
> Solution (2) aligns pretty well with container-powered OpenStack
> deployments -- running compute nodes as root in a container (and
> embracing abovementioned simplicity/performance gains) sounds like a
> pretty strong combo.

This sounds at least a little like a suggestion that containers are a
substitute for the security provided by running non-root.  The security
landscape around containers is complex, and while there are a lot of
benefits, I believe the general consensus is that uid 0 processes should
not be seen as fully isolated.

>From https://docs.docker.com/articles/security/ :

  Docker containers are, by default, quite secure; especially if you
  take care of running your processes inside the containers as
  non-privileged users (i.e., non-root).

Which is not to say that using containers is not a good idea, but
rather, if one does, one should avoid running as root (perhaps with
capabilities), and use selinux (or similar).

-Jim