External

• https://docs.docker.com/engine/security/security/
• http://opensource.com/business/14/7/docker-security-selinux
• https://medium.com/@ewindisch/on-the-security-of-containers-2c60ffe25a9e
• https://opensource.com/business/15/3/docker-security-tuning

Internal

• Docker Concepts
• Dockerfile USER

Overview

Production containers should almost always be run under the context of a non-privileged user, because there is potential to allow root level access to host resources, as in the case of the bind mounts. See Dockerfile USER.

Linux Kernel Capabilities

Linux Capabilities

Privileged Container

A privileged container, also referred to as a super privileged container (SPC) or an infrastructure container, is a special container elevated privileges administrators use to perform administrative tasks as management, monitoring, backups, etc. Privileged containers can load specialized kernel modules, for example. Typically there's a tighter coupling between privileged containers and the host kernel. When using a privileged container, the administrator needs to select a user space that is compatible with the host kernel.

Also see:

Container

OpenShift Security Context Constraints

Secret

https://docs.docker.com/engine/swarm/secrets/