I'm not totally sold on Bias' viewpoint. He wrote another interesting article declaring the death of hypervisors and the eventual takeover of containers: <a href="http://cloudscaling.com/blog/cloud-computing/will-containers-replace-hypervisors-almost-certainly/" rel="nofollow">http://cloudscaling.com/blog/cloud-computing/will-containers...</a> When I talked to a guy who had worked on the Xen hypervisor for years, he kept going back to Randy's key requirement for all this to be true: "if configured properly" So this other guy's response was "SELINUX is an armed camp if configured properly, yet we have everyone from major banks to the Pentagon being hacked. Truth is that few people have adequate time to configure security properly in the real world. Something that is "probably" as good as the status quo is a very scary statement for those of us living in the real world."
I disagree with this argument. What ring the code runs in doesn't really matter; it's true that a buffer overflow in a (properly built) unikernel will get the attacker into ring 0, but the attacker will find that <i>there is almost nothing there</i>. No globally shared filesystem, no hundreds of system calls, no processes, nothing. A ring 3 Unix process is actually a much richer environment to exploit.<p>I think unikernels are a bad idea compared to containers, but not for this reason.