Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

But couldn't containers have been designed that way? One thing I have in mind is one of windows 10 recent features, which consist in running certain applications using the same hardware level memory protection mechanism than VMs, so that the application is safe from the OS/Kernel, and the OS/Kernel is safe from the application (can't find the exact name for this new feature unfortunately).


Containers can't be designed that way as long as the primitives to build them that way (which are mostly part of the Linux kernel) are missing. That's a core part of the article. Containers aren't an entity by themselves, they're a clever and useful combination of an existing set of capabilities.


It is like that... but in Zones or Jails, not in Linux "container toolkit"


No, the Windows 10 feature he's talking about uses Hyper-V internally. It's called, unsurprisingly, Hyper-V containers: https://docs.microsoft.com/en-us/virtualization/windowsconta...


Actually I found it. It's called Windows 10 Virtual Secure mode

https://channel9.msdn.com/Blogs/Seth-Juarez/Windows-10-Virtu...

(or Windows 10 isolated user mode, which seems kind of similar)

https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Crede...


Oh yeah that's another use of Hyper-V, somewhat similar to ARM TrustZone. It's used to implement "Credential Guard".


You can design all you like, but implementation takes work.

Seccomp only landed for Docker in about 1.12




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: