View profile

Docker Defaults Can Improve Security

In my series on security features and controls in Docker, this week I talk about what you get out of
Docker Defaults Can Improve Security
By Bret Fisher • Issue #17 • View online
In my series on security features and controls in Docker, this week I talk about what you get out of the box by just using Docker defaults.

How Does "Just Docker" Keep My App Safe?
By using the default out of the box settings with Docker, we gain access to a tight knit secure platform that provides many resources to keep your app safe. These resources include security tools enabled out of the box, like AppArmor, and seccomp which are tools that can help with access restrictions. Along with the general Linux features around cgroups and namespaces, we can isolate what a container can and cannot access.
Docker Security Tips: Just use Docker!
What security concerns should I have with Docker?
Docker & AppArmor: 30.000 foot view - @lucjuggery - Medium
How These Tools to Reduce Your Risk Profile
Kernel namespaces provide the first defense against security threats: isolation. By limiting access through individual network stacks, PIDs, and Users, containers are highly controllable as to what they are able to see. Alongside of this, are cgroups, which provide control over resources a container can have access to. This includes CPU, RAM, and network bandwidth. For instance, a properly configured cgroup will prevent a container from overloading the host CPU. Another feature in the Linux kernel is “Seccomp” or secure computing. This allows you to restrict the actions that are available from within a container. In the docs found below, you can learn how Docker enables some locked-down “sane defaults”. You can also configure your own!
Docker Namespace and Cgroups - Kasun Rathnayaka - Medium
Thanks for reading,
–Bret
Weekly YouTube Live: bretfisher.com/youtube
Course Coupons: bretfisher.com/courses
Did you enjoy this issue?
Bret Fisher

Frequent updates on my projects, videos, and opinions focused on the container ecosystem, including Docker, Kubernetes, Docker Swarm, CI/CD, and container DevOps.

If you don't want these updates anymore, please unsubscribe here
If you were forwarded this newsletter and you like it, you can subscribe here
Powered by Revue
Bret Fisher, Virginia Beach, Virginia, USA