[pve-devel] Opinion of Proxmox's Virtualisation Experts regarding: LightVM

Thomas c.monty at web.de
Sat Nov 11 10:26:26 CET 2017


Hello!
I have received some interesting information regarding LightVM 
<http://cnp.neclab.eu/projects/lightvm/>.
In a white paper <http://cnp.neclab.eu/projects/lightvm/lightvm.pdf> 
there's a statement related to to pros and cons of 
container-based solutions (page 2):
"However, no technology is perfect, and containers are no exception: 
security is a continuous thorn in their side. The main culprit is the 
hugely powerful kernel syscall API that containers use to interact with 
the host OS. This API is very broad as it offers kernel support for 
process and thread management, memory, network, filesystems, IPC, and so 
forth: Linux, for instance, has 400 dfferent system calls [37], most 
with multiple parameters and many with overlapping functionality; 
moreover, the number of syscalls is constantly increasing (see figure 
1). The syscall API is fundamentally more diffcult to secure than the 
relatively simple x86 ABI offered by virtual machines where memory 
isolation (with hardware support) and CPU protection rings are sufficient."
[37] MAN page. [n. d.]. Linux system calls list. 
http://man7.org/linux/manpages/man2/syscalls.2.html. ([n. d.])
Question:
What is the experts opinion on the statements regarding security 
concerns/issues?
Regards
Thomas



More information about the pve-devel mailing list