I don't disagree about using containers being useful as one of many security mechanisms. They are useful against certain attack vectors, but depend on two things: 1) kernel correctness, and 2) putting all functionality in separate userspace processes to satisfy the "principle of least privilege". -----Original Message----- From: "Dave Taht" Sent: Thursday, January 4, 2018 5:04pm To: "dpreed@deepplum.com" Cc: "Joel Wirāmu Pauling" , "Jonathan Morton" , cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches than x86? On Thu, Jan 4, 2018 at 2:02 PM, dpreed@deepplum.com wrote: > Containers and kernel namespaces, and so forth are MEANINGLESS against the > Meltdown and Sceptre problems. It's a hardware bug that lets any userspace > process access anything the kernel can address. Just to be clear, I was merely agreeing with joel that containers had matured enough to be potentially usuable for some level of process isolation and firewalling, not that it applied to coping with MeltRe. > > > > -----Original Message----- > From: "Joel Wirāmu Pauling" > Sent: Thursday, January 4, 2018 4:52pm > To: "Dave Taht" > Cc: "Jonathan Morton" , > cerowrt-devel@lists.bufferbloat.net > Subject: Re: [Cerowrt-devel] KASLR: Do we have to worry about other arches > than x86? > > Well as I've argued before Lede ideally should be using to Kernel Namespaces > (poor mans containers) for at a minimum the firewall and per-interface > routing instances. > > The stuff I am running at home is mostly on cheap Atom board, so it's a > matter of squeezing out unneeded cruft on the platform. Also I don't want to > be admining centos/rhel servers at home. > > On 5 January 2018 at 10:47, Dave Taht wrote: >> >> On Thu, Jan 4, 2018 at 1:44 PM, Joel Wirāmu Pauling >> wrote: >> > >> > >> > On 5 January 2018 at 01:09, Jonathan Morton >> > wrote: >> >> >> >> >> >> >> >> I don't think we need to worry about it too much in a router context. >> >> Virtual server folks, OTOH... >> >> >> >> - Jonathan Morton >> >> >> > Disagree - The Router is pretty much synonymous with NFV >> > >> > ; I run my lede instances at home on hypervisors - and this is >> > definitely >> > the norm in Datacentres now. We need to work through this quite >> > carefully. >> >> Yes, the NFV case is serious and what I concluded we had most to worry >> about - before starting to worry about the lower end router chips >> themselves. But I wasn't aware that people were actually trying to run >> lede in that, I'd kind of expected >> a more server-like distro to be used there. Why lede in a NFV? Ease of >> configuration? Reduced attack surface? (hah) >> >> The only x86 chip I use (aside from simulations) is the AMD one in the >> apu2, which I don't know enough about as per speculation... >> >> -- >> >> Dave Täht >> CEO, TekLibre, LLC >> http://www.teklibre.com >> Tel: 1-669-226-2619 -- Dave Täht CEO, TekLibre, LLC http://www.teklibre.com Tel: 1-669-226-2619