top | item 45368304

(no title)

BeefySwain | 5 months ago

What's wrong with Docker for this?

discuss

simonw|5 months ago

I keep on hearing that Docker isn't designed as a security boundary for this kind of thing.

Firecracker is meant to be secure but it's a lot harder to work with.

phrotoma|5 months ago

Hey Simon, given it's you ... are you concerned about LLMs attempting to escape from within the confines of a Docker container or is this more about mitigating things like supply chain attacks?

Scramblejams|5 months ago

Escaping a container is apparently much easier than escaping a VM.

zokier|5 months ago

I think that threat is generally overblown in these discussions. Yes, container escape is less difficult than VM escape, but it still requires major kernel 0day to do; it is by no means easy to accomplish. Doubly so if you have some decent hygiene and don't run anything as root or anything else dumb.

When was the last time we have heard container escape actually happening?

mehdibl|5 months ago

apparently...

Like it's also possible in a VM.

What about running non privileged containers! You need really to open some doors to make it easier!

aitchnyu|5 months ago

Is Podman unescapable compared to Docker?

hmmokidk|5 months ago

Docker would be hacky and cumbersome especially when compared to anything assembly like.