Warning: Currently, NixOS containers are not perfectly isolated from the host system. This means that a user with root access to the container can do things that affect the host. So you should not give container root access to untrusted users.
Is there any detail why there’s that limitation and if currently someone is working on that.
The reason for this is that it uses systemd-nspawn and at the time the implementation was written there was no support for user namespaces. Nowadays however we could add support for that…
The consensus seems to be that containers in general do not add any extra security. Be it Docker/lxc/nspawn. Do not use containers to add security. Use VMs
The consensus seems to be that containers in general do not add any extra security. Be it Docker/lxc/nspawn. Do not use containers to add security. Use VMs
Saying they never add any extra security is an overstatement. Of course there has been a security problem where root-in-container was not enough to exploit but root-in-VM was sufficient… But on average VMs are probably safer.