Member-only story
Advanced Docker Security Part II
Introduction
This is part II of the Advanced Docker Series where we’ll be covering some advanced concepts to secure your docker container and ensure that even if your container is compromised, the attacker will not be able to achieve much. In case you’ve missed the first part of the series you can check it out here.
Limiting Resources
The security of Docker and the factors that influence it may be broken down into two core and crucial categories: Namespaces and cgroups are the terms used to describe them.
Namespaces, according to the Docker website, “provide isolation for running processes (containers), limiting their access to system resources without the running process being aware of the constraints.” Namespaces were not introduced by Docker. It was already present as part of the Linux kernel at the time of writing.
The second most crucial thing to know is about cgroups. It is a Linux Kernel feature that lets you restrict access to processes and containers to specific system resources such as CPU, RAM, IOPS, and the network connection.
Restricting PIDs
PIDs are the number of processes or threads the container has created. The PIDS column contains the total number of processes and kernel threads that…
