Docker Defaults Can Improve Security

#17・
4.67K

subscribers

29

issues

Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Vital DevOps: Improving Your Container DevOps Skills will receive your email address.

Bret Fisher
Bret Fisher
In my series on security features and controls in Docker, this week I talk about what you get out of the box by just using Docker defaults.

How Does "Just Docker" Keep My App Safe?
By using the default out of the box settings with Docker, we gain access to a tight knit secure platform that provides many resources to keep your app safe. These resources include security tools enabled out of the box, like AppArmor, and seccomp which are tools that can help with access restrictions. Along with the general Linux features around cgroups and namespaces, we can isolate what a container can and cannot access.
Docker Security Tips: Just use Docker!
What security concerns should I have with Docker?
Docker & AppArmor: 30.000 foot view - @lucjuggery - Medium
How These Tools to Reduce Your Risk Profile
Kernel namespaces provide the first defense against security threats: isolation. By limiting access through individual network stacks, PIDs, and Users, containers are highly controllable as to what they are able to see. Alongside of this, are cgroups, which provide control over resources a container can have access to. This includes CPU, RAM, and network bandwidth. For instance, a properly configured cgroup will prevent a container from overloading the host CPU. Another feature in the Linux kernel is “Seccomp” or secure computing. This allows you to restrict the actions that are available from within a container. In the docs found below, you can learn how Docker enables some locked-down “sane defaults”. You can also configure your own!
Docker Namespace and Cgroups - Kasun Rathnayaka - Medium
Thanks for reading,
–Bret
Weekly YouTube Live: bretfisher.com/youtube
Course Coupons: bretfisher.com/courses
Did you enjoy this issue? Yes No
Bret Fisher
Bret Fisher @bretfisher

Commentary on tools and techniques I find interesting around Docker, Kubernetes, Cloud Native DevOps, and DevSecOps.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Created with Revue by Twitter.
Bret Fisher, Virginia Beach, Virginia, USA