Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Interesting concept but seems to require custom android-specific kernel modules (ashmem, binderfs), which means the android containers aren't very containerized but leak into the host kernel.


All Linux containers leak the host kernel no?

The Anbox project relies on the exact same 2 modules: https://docs.anbox.io/userguide/install_kernel_modules.html. While these are "android-specific", they are present in the linux kernel tree, and even come pre-installed in Ubuntu 19.04 (and probably more distros).


Not all linux kernel leak to host. Docker security is way better than nefore. And there also projects like podman and docker unprivileged that don't require any root intraction to set up a kernel


Depends on your definition of "leak" I suppose. You can't get a different kernel version inside a container so there must be a "leak" in some sense. Reducing capabilities etc will just leak lesser information about the system in general, but your kernel is always shared.


> All Linux containers leak the host kernel no?

Curious in what way?


See any explanation of what a linux container is[0]. Containers in linux are a patchwork of various features that "contain" a process group in different ways while sharing the kernel with the rest of the system.

Running either of

    docker run --rm --entrypoint /bin/uname alpine:latest -a
or

    uname -a
gives you the same kernel version. The only difference will be in the hostname.

[0]: https://embeddedbits.org/introduction-linux-containers/


That's the difference between a container and a VM. VM runs its own kernel. A container relies on the host kernel and the host machine's kernel does all the scheduling, memory management, etc.


See the other replies and if you're on Linux run

  ps -ef
on the host and you'll see the processes in the containers too. That doesn't happen if those processes run in a VM.


This is by design. The kernel still runs the processes inside the container. If you namespace the user running `ps`, it will not be able to see the container processes. The only reason you're seeing them is because you're in the default (root?) namespace.

The container on the other hand cannot see the host's processes or other things. At least not without an exploit.


The Docker container also needs to be run in privileged mode, so you should probably treat this as if it were an emulator running root. It does work around dependencies on VT-x and such, though, and cuts down on the performance overhead of virtualising an extra kernel.


Or try running it with podman.


Sounds scary. That's a no from me dog.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: