Thanks for evaluating! The exploit was explained to me that an unpriviliged user/Programm could use it to get root access on the whole system, which I my mind included the hypervisor. Further reading seems to proof you right, while containers were broken VMs were not.

My point still remains, although weaker: If you know exactly what you are doing you can get a system quite secure, if you are a hobby server owner like me, its not that easy. I would have not know that the use of VMs instead of containers has sooo major security implications, that something so fundamental as ssh could be exploited in such large scales, and clustering would have been needed to avoid being unsafe.

Sure, noone would use an zero day on me targeted, the thing is: I am not working in the field, from publishing of the exploit till learned about it and had the time to patch, there were a few weeks. If in those few weeks someone deploys a tool going for mass and not for single targets, I would probably be infected and added to some botnet, cryptominer or whatever.

If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about. Sure, someone could still find a freebsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.

Not that its impossible, but for a hobbyist who tries to self teach with man pages, tutorials and forums, you can get pwnd in unexpected ways (like because you used a container for dodgy Chinese smart home devices and expected that your production environment would be safe even if one of them was malicious, but in fact you were not, because that would have needed to be a VM. AND: before copy fail was published, users would have probably also told you that containers are safe.