Linux Security Technologies

All good container platforms use namespaces and cgroups to build containers. The best container platforms will also integrate with other Linux security technologies such as capabilities, Mandatory Access Control systems like SELinux, AppArmor, and seccomp. As expected, Docker integrates with them all.

We’ll take a brief look at some of the major Linux security technologies used by Docker. We won’t go into detail, as I want the main focus of the chapter to be on the value-add security technologies Docker adds.

Namespaces

Kernel namespaces are at the very heart of containers. They slice up an operating system (OS) so that it looks and feels like multiple isolated operating systems. This lets us do really cool things like run multiple web servers on the same OS without having port conflicts. It also lets us run multiple apps on the same OS without them fighting over shared config files and shared libraries.

Examples

A couple of quick examples:

• Namespaces let you run multiple web servers, each on port 443, on a single OS. To do this you just run each web server app inside of its own network namespace. This works because each network namespace gets its own IP address and a full range of ports. You may have to map each one to a separate port on the Docker host, but each can run without being re-written or reconfigured to use a different port.

• You can run multiple applications, each requiring their own version of a shared library or configuration file. To do this you run each application inside of its own mount namespace. This works because each mount namespace can have its own isolated copy of any directory on the system (e.g. /etc, /var, /dev, etc.)

The figure below shows a high-level example of two web server applications running on a single host and both using port 443. Each web server app is running inside of its own network namespace.