VyOS docker vs proxmox - security

I see in latest doc, there is plan to make VyOS docker

https://docs.vyos.io/en/latest/installation/virtual/docker.html

In the context of security VyOS in docker sounds better for me, because even if someone will hack system it will be docker container. On the other hand from there they can be able to many things anyway. Still sounds better, than proxmox or stand alone.

Any difference for running docker VyOS as main router in home network vs proxmox or stand alone? I am asking about VyOS itself.

Any thoughts why not use docker VyOS over proxmox?

You will not gain security advantages running vyos in a docker container. Containers are in general less secure than VMs as it is easier for a malicious user or program to gain access to the hypervisor. The usual benefit to containers are higher density and easy of deployment, neither of which are likely to be a benefit in your stated use case. Additionally running it in containers is still fairly new and you are bound to run into bugs here and there. If you are just wanting to use it for a home router it will probably be significantly more reliable running it on bare metal or in a vm (be it proxmox or any other hypervisor). Additionally using a VM with pci passthrough or bare metal will allow you to make better use of various offloads on your hardware (if supported).

2 Likes

Containers are in general less secure than VMs as it is easier for a malicious user or program to gain access to the hypervisor.

Can you extend? How is it easier to gain access for connections coming from outside the network? Unless you mean moment after successful attack to the docker container and spread “virus” into other containers.

The main thing which make me concern is while using docker, even if someone hack it and I don’t know about it, then it will be fixed during next docker image update. But for VM it will stay there forever, because I will not replace system with new image, but update it.

  • Docker shares the same kernel across all containers and the host. Kernel exploits will allow a container to breach both the host and any other containers. VM’s use a completely independent environment, including their own kernel inside the VM jail
  • Docker does not implement isolated namespaces for SELinux, virtual filesystems and kernel modules. Any successful exploit on any of those items will breach the host. VM’s as stated above are a fully isolated environment.
  • Docker containers can easily starve other containers and the whole host system by consuming all resources available on the host system as all containers and the host are using the same kernel and thus the same resource pool. VM’s allocate resources through the hypervisor and can not consume more than was allocated to them

There are more pros and cons to this argument but you get the jist.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.