It is possible to escape the hypervisor, just waay harder than going around the container.

This video is misguided for 1 reason. Containers are "Software Islands" and Virtual Machines are "Hardware Islands" on a machine. How? A Container does not block memory access to other processes sharing the system. But Virtual Machines do. That is why one is a "Machine" and other is not. By blocking access to memory the Virtual Machine has created an ISLAND for itself and other processes cannot share that part. One could say Containers are more efficient for that reason.

The latest thing. Until the next one.

Does she even know that podman exists? That rootless containers is a thing?

Missed opportunity to call your VM, Dragonfly 😅

I wouldn't expect this video to have 2 million views

PVE 4 LYFE

This is exceptional really really good great talk!

Can you share more about why and how this design was chosen? Its obviously very different from the more traditional PaaS offerings, and a lot of work must have gone into building out such a system. But i'd just like to hear the origin story and also if this can work for larger customers as well as it does for smaller ones. Thanks and have a great day!

This video really needs some context.... Containers are not the best Security boundry... sure. But that isn't everyone's usecase.... The tinfoil approach is to have everything run on metal on machines airgapped from each other. There are some crazy attacks that happen due to VM escapes by poorly written virtual drivers that can lead to RCE on the Host machine. But that doesn't mean that containers aren't useful for running 3 different versions of Java on the same machine and isolating it. There are other ways to secure containers since the shared layer is the kernel by using several Linux security features such as SELinux as an example. You can even run VMs and containers side-by-side with something like kube-virt. It all depends on threat models.

People if you use proprietary vm you limit yourself to only one provider , that's just for notice , think about that.

Not true, Docker can be protected via namespace which allow to run applications in non root setup and then you have AppArmor or SELinux as additional layer of security.

With Docker actually i have always freedom of choice, i can run it everywhere , don't forget this!

So do a shit ton of work to implement a byzantine level of rules or just use a VM and move on with your day, yeah just like QubesOS..

You know, with all the stuff with VMs and people using them to run / test software on, why aren't OS built like VMs or at least run programs that you execute in tight isolation? I mean you can literally watch people test viruses and virus scanners on their PCs but, obviously, within a VM so nothing kicks their actual computer into the grave.

talk about getting sold

Thank you for a good video that explains the approach to choose appropriate technology for appropriate usecase. Yes, Container was born for many thing but not multi-tenant. So in this case, choosing a MicroVM is the best balance for security and performance. Great choice! Developers should watch this video closely and learn the analysis, not to copy the entire decision. Container is still the greatest invention in software industry in our last decades.

So cool! Is it pretty fast to start up after its stopped? And could this be used for other containers that could benefit from gpus?

How do you bring food to the offive? 😮

That was a quick, but great summary. That must have been a fun project. The more and more I see fly videos I get more respect for you guys and for you presenting them 🫡

Even LXC is available. But the problems come during networking.

I love the explanation about microVMs, but what about real-world scenarios? Could you provide examples of actual workloads, not just “state-of-the-art architectures solving imaginary problems”?

Good information for sure. I am not familiar with Firecracker, but if I know what’s running in other containers, then I can create a named system semaphore that will await and then block threads in those containers. However, as I said, I may not familiar with Firecracker, and since named semaphores are an OS wide resource, if FC does truly isolate process into a separate OS, then it would prevent this. I can think of several OS wide resources I can create inside of a container which can and will affect the entire host OS, given the proper convergence of asset allocated/named entry vectors, but this is highly unlikely to be unnoticed by a properly run SECOPS team (a rarity among organizations today, sadly). If you have any doubt, I would certainly recommend complete process isolation via a dedicated OS, else someone like me (I am a white hat, someone like me whose a black hat) is, given the motivation, likely to become your organizations last cybersecurity incident.

Locos

total noob here but I've never heard "shroot" before.....I've always heard the letters c and h enunciated like "C H root"...is this a regional thing?

Hey, I'm not knocking of you platform or you choice - honestly vm is most secure option, HOWEVER stating that vm's ARE secure is just a mirage. And don't mention the amazon ... they had enough problems with vm breakout.

Sounds nice. I want to get a job with you)

Nice!

so we are back to vmware? i thought we left that big slow mess behind

ads.

There is better knowledge base in comments than in the video. I love it. 😅

finally people using ipv6 in explanation videos, this is so great, but a separate network stack could lead to vulnerabilities that don't get patched by normal security updates...

Can I run this firecracker on my desktop Linux?

Does run on the edge?

Those videos converted me. Keep them coming.

On-premises is better than any cloud

This is why the visor project, which we started at Google in 2014, works the way it does -- very lightweight VM.

When I clicked on the video I thought you were going to try to convince me to throw away my Tupperware.

This really has 1 million views??? O_o

Considering containers for security is same considering VMs for flexibility and performance.

I don't really understand how cloudflare proxying and cloudflare reverse proxies work then. Why do you need a VPN but neither of those do? All these things proxy traffic.

So it means we have more latency when writing right?

Is she reading a script or one of those who implement the technical part of this or both?

I've checked. My closest Taco Bells is 780km away and going there would likely get me into troubles with the NATO Allied Air Command. But I've heard NATO is providing a great service for there customers too.

All code should be in jail.

LXCs > Docker. Configure with Ansible. I like this model much better than containers. But TBH you really can't beat reproducibility with containers. You just can't

Please, do not use «firecracker» word. You should use «KVM» word. Four and a half minutes of bullshit.

Nearly every single comment contradicts the point of this video, so as an aspiring dev… not gonna keep watching!

Tjroooottt

You kinda just reinvented the wheel. You can have (and most do) both containers and virtualization. Make clusters based on trust level and deploy apps according to level of trust. The platform runs on VMs, the apps run on containers. Haven't seen a PaaS run on bare metal for more than 6 years now.