Docker Security

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

External

Internal

Overview

Production containers should almost always be run under the context of a non-privileged user, because there is potential to allow root level access to host resources, as in the case of the bind mounts. See Dockerfile USER.

Linux Kernel Capabilities

Linux Capabilities

Privileged Container

A privileged container, also referred to as a super privileged container (SPC) or an infrastructure container, is a special container elevated privileges administrators use to perform administrative tasks as management, monitoring, backups, etc. Privileged containers can load specialized kernel modules, for example. Typically there's a tighter coupling between privileged containers and the host kernel. When using a privileged container, the administrator needs to select a user space that is compatible with the host kernel.

Also see:

Linux Security Concepts | Privileged Mode
Container
OpenShift Security Context Constraints

Secret

https://docs.docker.com/engine/swarm/secrets/