Docker

Secure the Docker against escalation of exploits

Using read only container, it won’t able to write to the system files
seccomp profile: Limit the runnable system commands that the container can run.
Turning on User Namespace for the docker config, so it’s root only for the container >> if not, root in the container still is the root of the host.
Run as non-root user >> for the execution command

VM and Docker

VM: Copy the whole OS and managed by the Hypervisor Containerization: Use the same host kernel, has their own namespaces, cgroups (manage limits) and managed by runtime.

ENTRYPOINT, CMD, RUN

ENTRYPOINT: entry to run command, or passed command CMD: can be overwritten RUN: Used in the build time

Wisp Hill

Explorer

Docker

Secure the Docker against escalation of exploits

VM and Docker

ENTRYPOINT, CMD, RUN

Graph View

Table of Contents

Backlinks