Versions Compared

Old Version 15

changes.mady.by.user Marius Ciepluch

Saved on

compared with

New Version 16

changes.mady.by.user Marius Ciepluch

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The manpage is man cgroups with an s. (warning)

...

Process segregation with Namespaces and Capabilities

Inside a container, Linux compartmentalizes all processes belonging to that… Namespace. It’s like a label attached to the activities which were instantiated with that running container.

image-20231224-070253.pngImage Added

Specific privileges can be assigned to select containers running capabilities. This is similar to running a packet sniffer such as Wireshark (tshark) as an un-elevated Linux user.

...

Top 3 security concerns

  1. Any docker host (such as a developer or DevOps workstation) which can (or does) run Docker containers as root is a privileged workstation or server. It can also mount the host operating system root and persist changes.

    1. solutions: rootless Docker

      Cfm footnote
      an.spaceKeyAD
      texthttps://docs.docker.com/engine/security/rootless/
      id8p7cx1grtuj

  2. Any security vulnerability that’s reachable from the ENTRYPOINT

    Cfm footnote
    an.spaceKeyAD
    texthttps://docs.docker.com/engine/reference/builder/
    idyylk6jkirre
    process can potentially be reached with injection attacks from software exploits.

    1. solutions: Application Security including Supply-Chain security including SCA (Software Composition Analysis)

  3. A container

Handy snippets

List dockerized processes

...