Docker Security: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
Line 16: Line 16:


=Linux Kernel Capabilities=
=Linux Kernel Capabilities=
 
{{Internal|Linux Capabilities|Linux Capabilities}}
* https://docs.docker.com/engine/security/security/#linux-kernel-capabilities
* https://github.com/moby/moby/blob/master/oci/defaults.go#L14-L30


=Privileged Container=
=Privileged Container=

Revision as of 21:48, 1 March 2021

External

Internal

Overview

Production containers should almost always be run under the context of a non-privileged user, because there is potential to allow root level access to host resources, as in the case of the bind mounts. See Dockerfile USER.

Linux Kernel Capabilities

Linux Capabilities

Privileged Container

A privileged container, also referred to as a super privileged container (SPC) or an infrastructure container, is a special container elevated privileges administrators use to perform administrative tasks as management, monitoring, backups, etc. Privileged containers can load specialized kernel modules, for example. Typically there's a tighter coupling between privileged containers and the host kernel. When using a privileged container, the administrator needs to select a user space that is compatible with the host kernel.

Also see:

Container
OpenShift Security Context Constraints

Secret

https://docs.docker.com/engine/swarm/secrets/