bbozo/gist:46be23d801cd76b3ec09ad5bfbfbc6a4

## gistfile1.txt
[12:11] <bbozo> Hey guys :)
[12:11] <bbozo> I know you're listening on SO on the Docker tag
[12:11] <Ravensoul> So my docker stats is weird?
[12:12] <bbozo> but not sure if you're on the Security stack exchange
[12:12] <bbozo> Can somebody take a look? https://security.stackexchange.com/questions/148784/is-docker-a-pci-dss-compliant-form-of-virtualization
[12:12] <bbozo> regarding posibilites of use of Docker for security related isolation
[12:13] <Ravensoul> bbozo: right. What's pci-dss compliancy, I can answer that if you tell me
[12:14] <Ravensoul> antonios: have you tried removing containers?
[12:16] <Ravensoul> bbozo: as far as I can tell there are no requirements for "virtualization". What are you trying to do
[12:17] <bbozo> @Ravensoul, PCI DSS is a credit card security standard https://pcicompliance.stanford.edu/sites/default/files/pci_dss_v3-2.pdf - the interesting point is requirement 2.2.1
[12:18] <bbozo> @Ravnsoul, I hoped that there's some in-house knowledge about this with you guys
[12:18] <bbozo> @Ravensoul, I hoped that there's some in-house knowledge about this with you guys
[12:18] <bbozo> previous experience etc?
[12:19] <Ravensoul> Ah right. Then no. definitely not. They absolutely mean actual virtualization.
[12:19] <Ravensoul> Don't use containers for that
[12:19] <Ravensoul> even if it's allowed
[12:20] <bbozo> @Ravensoul, damn :-D could you write up something about it on SO? https://security.stackexchange.com/questions/148784/is-docker-a-pci-dss-compliant-form-of-virtualization
[12:21] <Ravensoul> bbozo: it's a grey-ish area. They said "virtualization" but there are two major types of virtualization. OS-level and HW-level
[12:21] <Ravensoul> docker is OS level.
[12:21] <bbozo> Aha, and VMWare hypervisor?
[12:21] <Ravensoul> They didn't specify what they want, but trying to do actual isolation with docker is just... no don't do it.
[12:22] <bbozo> aha, OK, what are the major issues here?
[12:22] <bbozo> Why are you concerned?
[12:22] <Ravensoul> The VMware, Xen, VirtualBox class are HW level.
[12:22] <Ravensoul> A hypervisor is a simple bit of software, typically 100k LOC, especially since nowadays, it's mostly hardware assisted
[12:22] <Ravensoul> The hypervisor can delegate most of its job to the guest kernel
[12:23] <Ravensoul> OS-level virtualization however, relies on an actual OS (In this case Linux). An OS is a pretty complicated bit of code that typically has a LOT of bugs
[12:24] <Ravensoul> Using OS level virtualization, all guests use the same OS (vs the same hypervisor). The attack surface is dramatically increased
[12:24] <bbozo> Hm, I understand
[12:25] <Ravensoul> That's not to say hypervisors are completely safe (default floppy driver?)
[12:25] <Ravensoul> but it's not like Linux, where there's seemingly a new kernel vulnerability every week
[12:25] <Ravensoul> (That's not to say Linux sucks, it's pretty damn good software. It's just WAY more complicated than a hypervisor)
[12:26] <bbozo> @Ravensoul, and if Docker switched to using hardware based virtualization and depend on the guest OS, it would take the main reason to do it in the first place - reduced memory footprint
[12:26] <bbozo> and number of vm images to handle, backup, secure, update etc
[12:26] <Ravensoul> Docker isn't about HW virtualization, it's specifically OS
[12:26] <Ravensoul> there are other solutions for that
[12:26] <Ravensoul> OS virtualization offers a bunch of advantages over HW
[12:27] <Ravensoul> guest density, for one, you can fill a server with order of magnitudes more containers than VM
[12:27] <Ravensoul> they're a lot easier to deploy, and very easy to make
[12:27] <Ravensoul> But they isolate less than traditional virtualization
[12:28] <bbozo> exactly because you can fill a server with order of magnitudes more containers than VM :)
[12:28] <bbozo> they share kernelspace
[12:28] <bbozo> OK, I understand
[12:29] <bbozo> the tantalizing argument for me is that people use windows to do payment systems, even though they have more security issues compared to... AIX
[12:29] <bbozo> they get identified and fixed etc and assuming you keep your software up to date it works
[12:29] <Ravensoul> People still think anti-viruses are useful...
[12:29] <bbozo> yeah..
[12:30] <Ravensoul> People are just that dumb. You could probably get away with doing whatever you want if you spin it a certain way
[12:30] <Ravensoul> But if you just want security and isolation, docker is less suited to the task than VMs
[12:31] <bbozo> OK, understood
[12:31] <bbozo> Short answer would be "it's not soo bad but do it at your own risk, use hardware virtualization if you're serious about it"
[12:32] <Ravensoul> It's more "if you want to do a good job at it"
[12:33] <bbozo> OK, good point
[12:34] <bbozo> Can I quote parts of this discussion on SO?
[12:34] <Ravensoul> Sure! I'm happy someone actually cares :)
[12:34] <bbozo> :D thank you :D
	[12:11] <bbozo> Hey guys :)
	[12:11] <bbozo> I know you're listening on SO on the Docker tag
	[12:11] <Ravensoul> So my docker stats is weird?
	[12:12] <bbozo> but not sure if you're on the Security stack exchange
	[12:12] <bbozo> Can somebody take a look? https://security.stackexchange.com/questions/148784/is-docker-a-pci-dss-compliant-form-of-virtualization
	[12:12] <bbozo> regarding posibilites of use of Docker for security related isolation
	[12:13] <Ravensoul> bbozo: right. What's pci-dss compliancy, I can answer that if you tell me
	[12:14] <Ravensoul> antonios: have you tried removing containers?
	[12:16] <Ravensoul> bbozo: as far as I can tell there are no requirements for "virtualization". What are you trying to do
	[12:17] <bbozo> @Ravensoul, PCI DSS is a credit card security standard https://pcicompliance.stanford.edu/sites/default/files/pci_dss_v3-2.pdf - the interesting point is requirement 2.2.1
	[12:18] <bbozo> @Ravnsoul, I hoped that there's some in-house knowledge about this with you guys
	[12:18] <bbozo> @Ravensoul, I hoped that there's some in-house knowledge about this with you guys
	[12:18] <bbozo> previous experience etc?
	[12:19] <Ravensoul> Ah right. Then no. definitely not. They absolutely mean actual virtualization.
	[12:19] <Ravensoul> Don't use containers for that
	[12:19] <Ravensoul> even if it's allowed
	[12:20] <bbozo> @Ravensoul, damn :-D could you write up something about it on SO? https://security.stackexchange.com/questions/148784/is-docker-a-pci-dss-compliant-form-of-virtualization
	[12:21] <Ravensoul> bbozo: it's a grey-ish area. They said "virtualization" but there are two major types of virtualization. OS-level and HW-level
	[12:21] <Ravensoul> docker is OS level.
	[12:21] <bbozo> Aha, and VMWare hypervisor?
	[12:21] <Ravensoul> They didn't specify what they want, but trying to do actual isolation with docker is just... no don't do it.
	[12:22] <bbozo> aha, OK, what are the major issues here?
	[12:22] <bbozo> Why are you concerned?
	[12:22] <Ravensoul> The VMware, Xen, VirtualBox class are HW level.
	[12:22] <Ravensoul> A hypervisor is a simple bit of software, typically 100k LOC, especially since nowadays, it's mostly hardware assisted
	[12:22] <Ravensoul> The hypervisor can delegate most of its job to the guest kernel
	[12:23] <Ravensoul> OS-level virtualization however, relies on an actual OS (In this case Linux). An OS is a pretty complicated bit of code that typically has a LOT of bugs
	[12:24] <Ravensoul> Using OS level virtualization, all guests use the same OS (vs the same hypervisor). The attack surface is dramatically increased
	[12:24] <bbozo> Hm, I understand
	[12:25] <Ravensoul> That's not to say hypervisors are completely safe (default floppy driver?)
	[12:25] <Ravensoul> but it's not like Linux, where there's seemingly a new kernel vulnerability every week
	[12:25] <Ravensoul> (That's not to say Linux sucks, it's pretty damn good software. It's just WAY more complicated than a hypervisor)
	[12:26] <bbozo> @Ravensoul, and if Docker switched to using hardware based virtualization and depend on the guest OS, it would take the main reason to do it in the first place - reduced memory footprint
	[12:26] <bbozo> and number of vm images to handle, backup, secure, update etc
	[12:26] <Ravensoul> Docker isn't about HW virtualization, it's specifically OS
	[12:26] <Ravensoul> there are other solutions for that
	[12:26] <Ravensoul> OS virtualization offers a bunch of advantages over HW
	[12:27] <Ravensoul> guest density, for one, you can fill a server with order of magnitudes more containers than VM
	[12:27] <Ravensoul> they're a lot easier to deploy, and very easy to make
	[12:27] <Ravensoul> But they isolate less than traditional virtualization
	[12:28] <bbozo> exactly because you can fill a server with order of magnitudes more containers than VM :)
	[12:28] <bbozo> they share kernelspace
	[12:28] <bbozo> OK, I understand
	[12:29] <bbozo> the tantalizing argument for me is that people use windows to do payment systems, even though they have more security issues compared to... AIX
	[12:29] <bbozo> they get identified and fixed etc and assuming you keep your software up to date it works
	[12:29] <Ravensoul> People still think anti-viruses are useful...
	[12:29] <bbozo> yeah..
	[12:30] <Ravensoul> People are just that dumb. You could probably get away with doing whatever you want if you spin it a certain way
	[12:30] <Ravensoul> But if you just want security and isolation, docker is less suited to the task than VMs
	[12:31] <bbozo> OK, understood
	[12:31] <bbozo> Short answer would be "it's not soo bad but do it at your own risk, use hardware virtualization if you're serious about it"
	[12:32] <Ravensoul> It's more "if you want to do a good job at it"
	[12:33] <bbozo> OK, good point
	[12:34] <bbozo> Can I quote parts of this discussion on SO?
	[12:34] <Ravensoul> Sure! I'm happy someone actually cares :)
	[12:34] <bbozo> :D thank you :D