Questions tagged [container]
57 questions
57
votes
2 answers
If a container is compromised does that mean host also compromised?
Recently, I have heard of a new virtualization tech called containers. Suppose the container has been compromised, does this mean the host is also compromised (since the container is a process on a host)? In terms of security, is a VM (virtual…
Akhil Surapuram
- 561
- 4
- 7
42
votes
2 answers
Is it possible to escalate privileges and escaping from a Docker container?
I'm learning a lot about docker. I'm practicing creating docker clusters using docker-swarm, registry, shipyard, etc.
I saw how easy is to get root in a docker host machine once you entered to the host with a limited user which has docker…
OscarAkaElvis
- 5,185
- 3
- 17
- 48
11
votes
1 answer
Docker runs container processes as root - should I be worried?
I am running a (QNAP) NAS with Docker functionality ("containerstation"). I thought it would be a lot safer to install apps via containers instead of apps from the store (or 3rd party stores).
Many packages are outdated in their official store and…
Critical joe
- 193
- 1
- 2
- 9
10
votes
1 answer
How to execute a command directly on the host system through docker.sock in a Docker container?
I've been studying Docker security and examining ways of escaping from container to host.
Suppose Docker sock (docker.sock) is mounted into the container at /var/run/docker.sock, so that Docker client (docker) can send commands to Docker daemon…
Shuzheng
- 1,097
- 4
- 22
- 37
5
votes
1 answer
Are Ubuntu Snaps more secure than the classic installation method from the official repos?
Today Ubuntu (and some other distros) offer a new way to install software, which is snaps. It's software packaged with all its dependencies, run with some kind of containerization, and auto-updated. This might make it sound like it's definitely a…
reed
- 15,398
- 6
- 43
- 64
5
votes
3 answers
Managing trusted certificates revocation in containers in as "cloud native" means as possible
This is a bit of a tough question to ask so bear with me a bit. I'll try to be brief if I can.
Problem statement
I'm looking for a modern best practice for managing and deploying the trusted root CA certificate list of Docker containers. I know I…
Scott Lindner
- 161
- 4
5
votes
1 answer
How secure is LXD compared to Docker?
I was thinking on using LXD instead of Docker, but I can't find anything about how secure it is compared to a regular or a CIS hardened Docker. Any information about this?
inf3rno
- 487
- 1
- 7
- 19
4
votes
0 answers
How safe is it to enable unprivileged user namespace: unprivileged_userns_clone
Linux user namespaces are special, as they play the role of the owner of the other namespaces.
Distributions (Debian, Ubuntu, Arch, ...) seem to ship with unprivileged user namespaces disabled.
For example, when podman is run as non-root user and…
miku
- 141
- 5
4
votes
2 answers
How to prevent a docker container from being attached by multiple users?
When you run docker containers you can list running containers by using docker ps
Then you can attach them by docker attach
The trouble is that all people that can attach the running container at the same time as you, and will see…
aurelien
- 253
- 2
- 13
3
votes
1 answer
Secure Communication between Swarm Worker Nodes
I have a Swarm Cluster and want to communicate securely between Windows Worker Nodes. The official Docker Documentation (https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/) states:
The nodes in a swarm use mutual Transport Layer…
D.O.
- 600
- 3
- 9
3
votes
1 answer
What are the best practices for anti-virus / anti-malware when using containers?
One of the SOC 2 controls is apparently around ensuring antivirus/anti-spam/anti-malware is running on production servers. I've been googling to see if there are any recommendation/best practices for this in the container world. I'm not sure if it's…
Roly
- 133
- 1
- 5
3
votes
1 answer
Running Docker container as Root user
Running a Docker container process as root inside the container is considered insecure. But I have some doubts that I need to clear:
Is it still the same kind of insecure even if the container cannot mount the docker socket or any part of the root…
Ijaz Ahmad
- 1,592
- 1
- 11
- 20
3
votes
2 answers
What lightweight sandboxing options do I have on linux?
What can I use to avoid running a full-fledged VM that gives me comparable security?
Possibly, something like https://coreos.com/rkt/ but I don't know what their security properties are.
Elias
- 1,915
- 1
- 9
- 17
2
votes
1 answer
How does Kubernetes Pod Security Standard (PSS) differ from Pod Security Policies (PSP) from design?
Why are we replacing PSP with PSS? What are the motivations and changes in fundamental design?
Both PSS and PSP's objective is to only permit Pods that fulfill a set of secure criteria and conditions before they can be deployed. Examples would be…
transcend3nt
- 39
- 4
2
votes
1 answer
Container escape - CVE-2022-0492 - hybrid cgroups?
I saw the recent CVE-2022-0492 that can enable container escape, and I have a decent understanding of cgroups and container capabilities, but not very familiar with how hybrid cgroup v1/v2 works, nor how cgroups and capabilities work together.…
4oo4
- 25
- 4