This video is misguided for 1 reason. Containers are "Software Islands" and Virtual Machines are "Hardware Islands" on a machine. How? A Container does not block memory access to other processes sharing the system. But Virtual Machines do. That is why one is a "Machine" and other is not. By blocking access to memory the Virtual Machine has created an ISLAND for itself and other processes cannot share that part. One could say Containers are more efficient for that reason.
Can you share more about why and how this design was chosen? Its obviously very different from the more traditional PaaS offerings, and a lot of work must have gone into building out such a system. But i'd just like to hear the origin story and also if this can work for larger customers as well as it does for smaller ones. Thanks and have a great day!
This video really needs some context.... Containers are not the best Security boundry... sure. But that isn't everyone's usecase.... The tinfoil approach is to have everything run on metal on machines airgapped from each other. There are some crazy attacks that happen due to VM escapes by poorly written virtual drivers that can lead to RCE on the Host machine. But that doesn't mean that containers aren't useful for running 3 different versions of Java on the same machine and isolating it. There are other ways to secure containers since the shared layer is the kernel by using several Linux security features such as SELinux as an example. You can even run VMs and containers side-by-side with something like kube-virt. It all depends on threat models.
Not true, Docker can be protected via namespace which allow to run applications in non root setup and then you have AppArmor or SELinux as additional layer of security.
You know, with all the stuff with VMs and people using them to run / test software on, why aren't OS built like VMs or at least run programs that you execute in tight isolation? I mean you can literally watch people test viruses and virus scanners on their PCs but, obviously, within a VM so nothing kicks their actual computer into the grave.
Thank you for a good video that explains the approach to choose appropriate technology for appropriate usecase. Yes, Container was born for many thing but not multi-tenant. So in this case, choosing a MicroVM is the best balance for security and performance. Great choice! Developers should watch this video closely and learn the analysis, not to copy the entire decision. Container is still the greatest invention in software industry in our last decades.
That was a quick, but great summary. That must have been a fun project. The more and more I see fly videos I get more respect for you guys and for you presenting them 🫡
I love the explanation about microVMs, but what about real-world scenarios? Could you provide examples of actual workloads, not just “state-of-the-art architectures solving imaginary problems”?
Good information for sure. I am not familiar with Firecracker, but if I know what’s running in other containers, then I can create a named system semaphore that will await and then block threads in those containers. However, as I said, I may not familiar with Firecracker, and since named semaphores are an OS wide resource, if FC does truly isolate process into a separate OS, then it would prevent this. I can think of several OS wide resources I can create inside of a container which can and will affect the entire host OS, given the proper convergence of asset allocated/named entry vectors, but this is highly unlikely to be unnoticed by a properly run SECOPS team (a rarity among organizations today, sadly). If you have any doubt, I would certainly recommend complete process isolation via a dedicated OS, else someone like me (I am a white hat, someone like me whose a black hat) is, given the motivation, likely to become your organizations last cybersecurity incident.
Hey, I'm not knocking of you platform or you choice - honestly vm is most secure option, HOWEVER stating that vm's ARE secure is just a mirage. And don't mention the amazon ... they had enough problems with vm breakout.
finally people using ipv6 in explanation videos, this is so great, but a separate network stack could lead to vulnerabilities that don't get patched by normal security updates...
I don't really understand how cloudflare proxying and cloudflare reverse proxies work then. Why do you need a VPN but neither of those do? All these things proxy traffic.
I've checked. My closest Taco Bells is 780km away and going there would likely get me into troubles with the NATO Allied Air Command. But I've heard NATO is providing a great service for there customers too.
LXCs > Docker. Configure with Ansible. I like this model much better than containers. But TBH you really can't beat reproducibility with containers. You just can't
You kinda just reinvented the wheel. You can have (and most do) both containers and virtualization. Make clusters based on trust level and deploy apps according to level of trust. The platform runs on VMs, the apps run on containers. Haven't seen a PaaS run on bare metal for more than 6 years now.