Does this mean that Google feels confident in running untrusted code inside cont... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		deweller on Nov 4, 2014 \| parent \| context \| favorite \| on: Google Launches Managed Service for Running Docker... Does this mean that Google feels confident in running untrusted code inside containers? Or is each container actually running in an isolated VM? It is my understanding that Docker containers are "generally" secure (https://docs.docker.com/articles/security/). But that statement isn't enough for me to use them to power a multi-user production hosting environment.

jbeda on Nov 4, 2014 [–]

We aren't doing multi-tenant in a VM. Instead, each user/account/project has their own set of VMs implementing the cluster.

My view is that the surface area for cgroups/kernel namespaces is just too large and isn't appropriate for hostile untrusted workloads right now.

More nuanced statement on this here: http://googlecloudplatform.blogspot.com/2014/08/containers-v...

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact