1) Limit max processes on container; unfortunately docker seems intent on me not doing docker stupid tricks, so this is actually a bit of a pain on some systems… but if you figure out/etc/security/limits.conf, or can use prlimit (or write your own; use RLIMIT_NPROC instead of RLIMIT_NOFILE), you can do “prlimit –pid 666 –nproc=3:3” to limit the processes on the system to a very small number. Say… only what you’re running inside of it.
2) Start your container with a single threaded server (running as an unpriv’d user of course!)
3) Compromise #2, say with a buffer overrun, execute shell… and get “bash: fork: retry: Resource temporarily unavailable”. Can’t fork off anymore processes, denied!
Obviously attackers can do a zillion things other than simply executing another process… but not being able to execute anything on the (hopefully stripped down and hopefully one without bash anyway :)) container that’s listening to the big bad Internet is pretty nifty.
Docker can be a stupendous boon to security, you can do things you simply can’t do without it, not in the real world. Who cares about continuous integration? Docker is for security, dawg.
Sorry, the comment form is closed at this time.