Useful Tips

Is LXC safer than Docker?


Is LXC safer than Docker?

The biggest difference is that LXC uses liblxc while Docker uses conainerd and runc to containerize. These are both heavily scrutinized and likely highly secure.

Is LXC secure?

Unprivileged containers are safe by design. The container uid 0 is mapped to an unprivileged user outside of the container and only has extra rights on resources that it owns itself. With such container, the use of SELinux, AppArmor, Seccomp and capabilities isn’t necessary for security.

Is LXC a hypervisor?

LXC (also known as Linux containers) is a virtualization technology that works at the operating system level. This is different from hardware virtualization, the approach used by other hypervisors such as KVM, Xen, and VMware. Some OpenStack Compute features might be missing when running with LXC as the hypervisor.

Is Docker based on LXC?

Docker is developed in the Go language and utilizes LXC, cgroups, and the Linux kernel itself. Since it’s based on LXC, a Docker container does not include a separate operating system; instead, it relies on the operating system’s own functionality as provided by the underlying infrastructure.

Is Docker really secure?

Conclusions. Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container. You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.

What is LXC good for?

LXC (LinuX Containers) is a OS-level virtualization technology that allows creation and running of multiple isolated Linux virtual environments (VE) on a single control host. This it achieves using a high-level API that provides a lightweight virtualization solution to run processes in isolation.

Can you run Docker inside LXC?

Yes, docker can run in a linux container. But docker will only run with the lxc execution driver and in a unconfined lxc. So, here’s how to get docker in LXC: Ensure you have lxc.

Should I use LXC or LXD?

The LXD daemon can take advantage of host-level security features to make containers more secure. On plain LXC, container security is more problematic. LXD offers advanced features not available from LXC, including live container migration and the ability to snapshot a running container.

How can I make Docker more secure?

Best practices to secure Docker containers

  1. Regularly update Docker and host. Make sure that Docker and the host are up-to-date.
  2. Run containers as a non-root user.
  3. Configure resource quotas.
  4. Set container resource limits.
  5. Keep images clean.
  6. Secure container registries.
  7. Monitor API and network security.