I'm currently working on a server. This server is meant to be converged, as in be my storage server and the place publicly accessible services run on. Services like some API's in docker or k8s and maybe an occasional game server.
There are a few hyper converged appliances available like Truenas Scale and Unraid. These offer great storage solutions and include KVM.
Then there are the usual hypervisors like esxi and Proxmox etc.
Now my questionSo I have these 2 scenarios and wonder if one is would running a "real" hypervisor be more secure? Specifically if I were to virtualize than the NAS software in esxi/proxmos and pass through a SATA controller and NIC with pci passthroughother.
Or is simply using the NAS software their KVM solutionA hypervisor (esxi/proxmox/xcpng) with passthrough for a NIC be pretty much just as secure?:
- A virtualized NAS OS like truenas
- has PCIe passthrough so the VM has direct access to the sata controllers.
- the drives are encrypted using ZFS encryption. Alternatively the drives can self encrypt.
- has passed through nic.
- has PCIe passthrough so the VM has direct access to the sata controllers.
- A VM with docker or a k8s node
- has passed through nic.
My main worry is that a container gets compromised, it breaks out and then breaks out ofAnd this scenario: Install the KVM into my NAS with direct access to all dataOS on baremetal.
- Use it's KVM environment to launch a VM as a container host inside.
- Has passed through nic.
- The data drives for the NAS part are still encrypted using the same method. However they are now mounted directly to the host that is now also running KVM. Therefore in theory the VM once broken out of will have access to the data on the drives. No need to mount and decrypt the drives anymore.