Securing Docker containers
Until now, we've looked at libvirt and full virtualization. But a new type of virtualization has been gaining traction, called containerization--more specifically, Docker containers.
When working with containers, administrators have to be well aware that containers do not virtualize everything: the Linux kernel itself is shared, and all software running inside the container is interacting with the Linux kernel, just like software running outside the container. That does not mean that containers don't isolate, though. They are built based on Linux features such as namespaces and control groups.
Understanding container security
As the Linux kernel is shared, exploits on the kernel level impact the entire host and can compromise not only the container through which an exploit is executed, but also all other containers and software running on the host.
Generally, one could imagine using SELinux to prevent vulnerabilities to be exploited. Policies could be used to ensure...
