An informative YT channel I found. I’m sure many people here might already know, but I found it helpful and it makes the comm a good resource for newer folks looking to get a handle on what all these tools do and how they will use them in their selfhosting.
In order of most to least secure
VM > Docker+GVisor > Docker/LXC
Docker+GVisor is good middle ground because it provides the guest container with an application kernel in a memory safe language and reduced syscall attack surface to avoid kernel container escapes. Docker/LXC share the kernel with the host.
Subjective to security practice. There are more appropriate factors than blanket statements on a technology’s inherent “security” when deciding the format and shape of virtual software spaces.
in a memory safe language
Ultimately, the implementation is more important than the underlying code when it comes to containers. cgroups2 works the same for gvisor as it does for LXC.
Does Lawrence Systems still not publish on peertube?
I just discovered them, so I’m not sure.
