Docker Security: Difference between revisions
| Line 8: | Line 8: | ||
* [[Docker Concepts#Security|Docker Concepts]] | * [[Docker Concepts#Security|Docker Concepts]] | ||
* [[Dockerfile#USER|Dockerfile | * [[Dockerfile#USER|Dockerfile USER]] | ||
=Overview= | =Overview= | ||
Revision as of 19:09, 2 January 2021
External
- https://docs.docker.com/engine/security/security/
- http://opensource.com/business/14/7/docker-security-selinux
- https://medium.com/@ewindisch/on-the-security-of-containers-2c60ffe25a9e
Internal
Overview
Production containers should almost always be run under the context of a non-privileged user, because there is potential to allow root level access to host resources, as in the case of the bind mounts. See Dockerfile USER.
Linux Kernel Capabilities
- https://docs.docker.com/engine/security/security/#linux-kernel-capabilities
- https://github.com/moby/moby/blob/master/oci/defaults.go#L14-L30
Privileged Container
A privileged container, also referred to as a super privileged container (SPC) or an infrastructure container, is a special container elevated privileges administrators use to perform administrative tasks as management, monitoring, backups, etc. Privileged containers can load specialized kernel modules, for example. Typically there's a tighter coupling between privileged containers and the host kernel. When using a privileged container, the administrator needs to select a user space that is compatible with the host kernel.
Also see: