At the end of the presentation (jump to 30min), Avi Kivity talks about security and compares it to Docker. OSv and the hypervisor it runs within have a very small attack surface compared to Docker. The attack surface of Docker is huge by comparison, because it includes the entire general purpose OS, Linux. Once a hacker, or malicious sys-admin insider, has penetrated a network, Linux provides them many hiding places they can implant their malicious code: kernel modules, inserting scripts into cron jobs, or hack bash login config files like ~/.bashrc, etc... It takes significant time and expertise to maintain a secure Linux cluster. With OSv this is simply not an issue, because the developer hard-codes everything that goes into the VM image, tests the image locally, and can then easily deploy it directly to the network cluster. Most of the security management is then moved to the hypervisor level, which requires fewer system administrators, and less people with privileged access.
No comments:
Post a Comment