Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
POST /v1.16/containers/0abe202395e4e61fc35f8f90e3432ad0f2fb3d3816a79c367ff716ecb57965dc/resize?h=24&w=107 HTTP/1.1
Host: /var/run/docker.sockUser-Agent: Docker-Client/1.4.0Content-Length: 0Content-Type: plain/text
"In the future, we expect new execution engine plugins to offer more choice and greater
granularity for our security-focused users."
all this crap running as root
including the containersran by unprivileged (not any more) users
„trusted” imageshttps://titanous.com/posts/docker-insecurity
KISS
user namespacescompletely unprivileged* containers in kernel 3.9+
remaining setuid bits
lxc-user-nic a couple netlink packets if you need a private net with CAP_NET_ADMIN !newuidmap a single write() newgidmap if you need multiple uids/gids
Related Documents
