Chapter 9. Docker Security
In this chapter, we will cover the following recipes:
- Setting Mandatory Access Control (MAC) with SELinux
- Allowing writes to volume mounted from the host with SELinux ON
- Removing capabilities to breakdown the power of a root user inside the container
- Sharing namespaces between the host and the container
Introduction
Docker containers are not actually Sandbox applications, which means they are not recommended to run random applications on the system as root with Docker. You should always treat a container running a service/process as a service/process running on the host system and put all the security measures inside the container you put on the host system.
We saw in Chapter 1, Introduction and Installation, how Docker uses namespaces for isolation. The six namespaces that Docker uses are Process, Network, Mount, Hostname, Shared Memory, and User. Not everything in Linux is namespaced, for example, SELinux, Cgroups, Devices (/dev/mem
, /dev/sd*
), and Kernel...