QubesOS – A reasonably secure operating system

(www.qubes-os.org)

176 points TheFreim | 1 comments | 11 Jul 23 18:11 UTC | HN request time: 0.227s | source

Show context

DeathArrow ◴[11 Jul 23 19:21 UTC] No.36685995[source]▶

>Qubes OS is a free and open-source, security-oriented operating system for single-user desktop computing. Qubes OS leverages Xen-based virtualization to allow for the creation and management of isolated compartments called qubes.

What's wrong with containers? They are supposed to provide better performance than VMs. Are containers less secure?

replies(8): >>36686025 #>>36686033 #>>36686039 #>>36686046 #>>36686053 #>>36686059 #>>36686079 #>>36686206 #

Syonyk ◴[11 Jul 23 19:25 UTC] No.36686059[source]▶

>>36685995 #

Containers rely on the kernel to enforce separation. They're great for keeping trusted workloads from interfering with each other, but I don't trust them for potentially hostile workload separation.

If you can compromise the kernel (and kernel exploits aren't particularly expensive nor uncommon), then a container is like a door locked by a sign that says "Please do not open without permission." If you don't care to go through it, you won't. And if you want to get through it, it doesn't stop you. Once you're in the kernel, containers don't offer any meaningful separation.

Qubes uses hardware virtualization with a fairly stripped down Xen to provide the isolation, and that's a somewhat harder lock to crack open if you want to transit between silos.

replies(1): >>36686853 #

Dah00n ◴[11 Jul 23 20:32 UTC] No.36686853[source]▶

>>36686059 #

Does this also count for Proxmox?

replies(1): >>36687327 #

1. hiatus ◴[11 Jul 23 21:17 UTC] No.36687327[source]▶

>>36686853 #

Proxmox containers are just regular containers.

https://pve.proxmox.com/wiki/Linux_Container

↑