VM vs containers

[Red56]

Happy New Year y'all!
Wouldn't it be safer to always install VM's instead of sometimes containers too? If a container has been compromised, Proxmox' OS will be as well?
Best, Jos

 

[Dunuin]

Yes, in case of a compromized guest a VM would be the safest and a privileged LXC the most vulnerable. With unprivileged LXCs in between.
Because of that I personally only use LXCs for stuff that is not attackable from the internet and accept the additional overhead.

 

[Red56]

Ok, so the most save is running Docker in a VM instead of as a container. With the availability of a zillion docker containers the chance of using one with a backdoor is likely possible.

 

[Dunuin]

Jup and you can even run docker rootless in a VM: https://docs.docker.com/engine/security/rootless/
Thats how I run my docker containers here.

 

[LnxBil]

Maybe you can also have a look at podman, which will eventually replace Docker. Most enterprise linux distributions have already switched to podman. You need to know that it is not and will not be a drop-in-replacement to Docker, because of all the security implications, e.g. docker-compose (or podman-compose) is very similar, but not directly compatible due to the stricter security, especially if it comes to networking.