April 06, 2020
Containers make software run reliably when moved from one computing environment to another. A container consists of the application, all its dependencies like libraries and other binaries, as well as configuration files needed to run the application, bundled into a single package. Containers became a core feature of Linux a long time ago, and Docker made containers easy to use. Containers make sure the developers software will run, no matter where it is deployed.
Linux kernel features namespaces and cgroups makes isolation of processes from each other possible. When you use namespaces and cgroups, you simply call it containers. Containers are processes running in the same Linux kernel as the host, but with a different computing environment.
Securing containers is about limiting and controlling the attack surface on the kernel.
Linux namespaces provide isolation for running processes, limiting access to system resources. For containers processes running as root user within the container, you can use user namespaces to remap the root user in the container to a less privileged user on the host. With network namespaces, each container gets its own IP-address and port range to bind to, thereby isolating networks from each other.
It is possible to restrict a container’s system calls with Seccomp-BPF, a Linux kernel feature. Seccomp and Seccomp-BPF are used to limit the system calls available to a Linux process.
Linux Capabilities divides the privileges of root into distinct units and smaller groups of privileges.
Use SELinux to tighten the security of Linux containers. SELinux will protect the host as well as protecting containers from each other.