Thierry Carrez <> writes:

> You make a good point when you mention "traditional distro" here. I
> would argue that containers are slightly changing the rules of the
> don't-run-as-root game.
> Solution (2) aligns pretty well with container-powered OpenStack
> deployments -- running compute nodes as root in a container (and
> embracing abovementioned simplicity/performance gains) sounds like a
> pretty strong combo.

This sounds at least a little like a suggestion that containers are a
substitute for the security provided by running non-root.  The security
landscape around containers is complex, and while there are a lot of
benefits, I believe the general consensus is that uid 0 processes should
not be seen as fully isolated.

>From :

  Docker containers are, by default, quite secure; especially if you
  take care of running your processes inside the containers as
  non-privileged users (i.e., non-root).

Which is not to say that using containers is not a good idea, but
rather, if one does, one should avoid running as root (perhaps with
capabilities), and use selinux (or similar).


OpenStack Development Mailing List (not for usage questions)

Reply via email to