"LXD containers are more secure than docker in general"
Please explain. This statement doesn't look correct to me. Both use the same technology - namespaces and cgroups. LXC is just meant to host the full OS installs, so you have to manually do things like "apt upgrade", resolve all breaking changes manually etc. So you end up with bunch of VM-like full OS installs, taking lots of time to manage.
Docker is basically the same, except there are layers of filesystem data and that those base OSs are minimal. Minimal also means less attack vectors, btw. Now, in the image there are all the required dependencies and you can prepare new version in your laptop, resolve breaking changes, test it properly and then easily deploy.
LXD/LXC by default launches unprivileged containers in user space and map the userid’s to hosts user id’s, now they use new kernel feature shiftfs which makes it much easier to provide consistent user id mapping inside a container across hosts, with consistent security model, it doesn’t exist in Docker as it was designed from beginning not to have init process which results in zombie processes inside docker containers and recommends only one process per container. Docker doesn’t by default launches containers running in user space, and there are so many design difference as I posted a link in another post which really makes it a security nightmare unless company like google provides you managed container services taking the burden away from you, but indeed the security vulnerabilities which impacted all k8s didn’t impact LXD running unprivileged containers.
Every image in LXD can be locally hosted including the base one privately, so do not need to rely on inspecting a hotch-potch of Dockerfile, scripts and pull from other docker images to know what’s inside.
Now with the release of LXD 3.19 they introduced interceptions of syscall so even unprivileged containers Running in user space can securely access hardware. So NFS can be mounted inside unprivileged container I haven’t tried the latest docker container but in the old one cannot mount NFS from inside a container without running it in privileged mode with kernel access.
Please explain. This statement doesn't look correct to me. Both use the same technology - namespaces and cgroups. LXC is just meant to host the full OS installs, so you have to manually do things like "apt upgrade", resolve all breaking changes manually etc. So you end up with bunch of VM-like full OS installs, taking lots of time to manage.
Docker is basically the same, except there are layers of filesystem data and that those base OSs are minimal. Minimal also means less attack vectors, btw. Now, in the image there are all the required dependencies and you can prepare new version in your laptop, resolve breaking changes, test it properly and then easily deploy.
So why are LXC containers more secure?