Matthew Garrett considers the security of Linux containerson his blog. While the attack surface of containers is likely to always be larger than that of hypervisors, that difference may not matter in practice, but it’s going to take some work to get there:
I suspect containers canbe made sufficiently secure that the attack surface size doesn’t matter. But who’s going to do that work? As mentioned, modern container deployment tools make use of a number of kernel security features. But there’s been something of a dearth of contributions from the companies who sell container-based services.
Read more at LWN