All geek questions in one place

Safe launch of dockers

I understand that the docker daemon requires running as root , so I am told that this can lead to some security consequences, for example, if the container is compromised, attackers can make changes to the host system files.

What precautions can be taken to mitigate damage in the event of an attack?

Is there any practice I should know when starting the docker daemon? I was thinking that you have a tramp to start vm, and docker starts vm instead.

+5
source share
1 answer

The main source of information about docker safety practices is the Docker Safety .

Only trusted users are allowed to control the Docker daemon .
This is a direct result of some of the powerful features of Docker.

In particular, Docker allows you to share a directory between the Docker host and the guest container; and this allows you to do this without restricting access rights to the container.

If you find a REST API, you must do it via https.

Finally, if you run Docker on the server, it is recommended that you run Docker exclusively on the server and move all other services in containers controlled by Docker

As for the virtual machine, see " Are Docker Containers Safe? "

The biggest problem is that everything in Linux is not a namespace. Currently, Docker uses five namespaces to modify processes in the system: Process, Network, Mount, Hostname, Shared Memory.

Although they give the user some level of security, he is by no means comprehensive, such as KVM (kernel-based virtual machine) .
In a KVM environment, processes in a virtual machine do not directly access the host kernel. They do not have access to kernel file systems, such as /sys and /sys/fs , /proc/* .

+4
source

Source: https://habr.com/ru/post/1234419/

More articles:


All Articles