Other users have pretty much covered everything so I don't have much to add. One idea I would like to suggest is using both. Each Xen PV or HVM you run will incurr some overhead for the kernel and such, greater than that of the primitives that most containers use (e.g. cgroups, namespaces, traps, or whatever it may be). But if you want to protect the Dom0 kernel, Xen (or another real virtualization technology like KVM) is going to be the safest way to do that. You should also consider that some types of containers are not necessarily designed for security; some may be designed for easily installing different versions of programs/libraries, ease of deployment, stability, logical grouping of services into a single "machine", ease of migration, or other convenience reasons.
So I would suggest running one or more DomUs as PVs or HVMs for programs that you consider to have the same "security zone" as each other. Then, within each DomU "security zone" you can benefit from further isolation without much additional overhead by running programs (or groups of interdependent programs) in their own dedicated containers. Perhaps most importantly, this protects the Dom0 as well.
There's a broad spectrum of virtualization/isolation, from separate physical machines all the way to simple chroots. You might find this talk interesting as it discusses some of the differences:
"Do containers actually contain? Should you care?" by Danial Walsh, Red Hat Summit 2015
https://www.redhat.com/en/about/videos/container-security-summit-2015
https://www.youtube.com/watch?v=a9lE9Urr6AQ
This is just my take on the question, so as always you should consult a security expert before handling sensitive data ;-)
Quoting Rich Wales <richw@xxxxxxxxx>:
Hi. I'm just starting to put together a new server which will run the new Ubuntu 16.04 LTS.
I had planned to use Xen, but I'm wondering if I should use LXC/LXD instead of Xen. What issues should I consider?
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator™ to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
No Bandwidth Quotas! 15GB disk space!
Commercial and Bulk Mail Options!
|