I think what Intel are doing with Clear Containers is really interesting. They are encapsulating containers inside VMs, avoiding the security problems of containers.<p>To do this efficiently they've had to make a bunch of changes on the VM side so the overhead is much smaller than an ordinary VM (of the order of 150ms and 20MB of RAM). I've also been looking at this and am hoping to give a talk about it at the KVM Forum in August (<a href="http://events.linuxfoundation.org/events/kvm-forum" rel="nofollow">http://events.linuxfoundation.org/events/kvm-forum</a>).
Containerization in Linux is <i>fugly</i>. There is no core concept of containers in the kernel, you just have a set of loosely integrated namespaces abused by the likes of lx[cd] and docker.
>As such, it discloses the names and PIDs of all processes running on the system...<p>So I don't really see how this is considered a big vulnerability, unless the goal is security by obscurity, but then we could go even further and obfuscate the whole system.<p>>NET_RAW abuse<p>Hard to blame LXC/Docker for something that has to do with the configuration of the bridge, plus for some setups this is desired functionality.<p>>DoS<p>Some of these are interesting but I don't see how filling up the diskspace is a problem with containers and not operating systems in general, and I feel like a lot of these DoS attacks are all just basic OS limitations but I don't know enough to make an informed statement.
Linux does not have containers. It has namespaces and cgroups. Jails (FreeBSD) and zones (Illumos) are containers. Please, stop claiming containers exist on Linux.