Docker Security: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
(Created page with "=External= * https://docs.docker.com/engine/security/security/ * http://opensource.com/business/14/7/docker-security-selinux =Internal= * Docker Concepts#Security|Docker...")
 
Line 10: Line 10:
=Overview=
=Overview=


Production containers should almost always be run under the context of a non-privileged user. See Dockerfile [[Dockerfile#USER|USER]].
Production containers should almost always be run under the context of a non-privileged user, because there is potential to allow root level access to host resources, as in the case of the [[Docker Concepts#Bind_Mount_Security_Implications|bind mounts]]. See Dockerfile [[Dockerfile#USER|USER]].


==Privileged Container==
==Privileged Container==

Revision as of 23:34, 26 January 2018

External

Internal

Overview

Production containers should almost always be run under the context of a non-privileged user, because there is potential to allow root level access to host resources, as in the case of the bind mounts. See Dockerfile USER.

Privileged Container

A privileged container, also referred to as a super privileged container (SPC) or an infrastructure container, is a special container elevated privileges administrators use to perform administrative tasks as management, monitoring, backups, etc. Privileged containers can load specialized kernel modules, for example. Typically there's a tighter coupling between privileged containers and the host kernel. When using a privileged container, the administrator needs to select a user space that is compatible with the host kernel.

Also see:

Container
OpenShift Security Context Constraints

Secret

https://docs.docker.com/engine/swarm/secrets/