9

Does Docker provide the same level of security/isolation as a virtual machine running over a hypervisor? If not, how can that be achieved?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ijaz Ahmad
  • 1,592
  • 1
  • 11
  • 20

2 Answers2

11

Theoretically, the isolation of Docker is not quite as strong, because parts of the system are shared (kernel is shared, container has a chroot of the original filesystem, etc). However, for most purposes it's good enough. With chroot, cgroups, etc, and the ability to run containers under an unprivileged account (so root in the container is still limited on the host), you can lock down the container sufficiently for most uses.

If you really want VM-level isolation, then use a VM. Depending on the use case, you could start and stop Docker containers within a VM.

ThrawnCA
  • 305
  • 1
  • 5
1

No, Docker is less secure by design, check out the answer on https://security.stackexchange.com/a/148794/39716

OS-level virtualization reuses the kernel-space between virtual machines, and kernel is a much more complicated piece of code, leaving a MUCH larger attack surface - basically the same thing that makes docker super-nice to stack a bunch of VMs with limited resources in a tiny bit of memory is what makes it less useful for the PCI DSS use case - kernel reuse.

bbozo
  • 503
  • 5
  • 18