mention options to avoid
This commit is contained in:
parent
f033e1637d
commit
343d644782
|
@ -130,6 +130,7 @@ If you already run your containers unprivileged without root, your container wil
|
||||||
# - SETUID
|
# - SETUID
|
||||||
# - SETGID
|
# - SETGID
|
||||||
```
|
```
|
||||||
|
Never use the `--privileged` unless you really need to: a privileged container is given access to almost all capabilities, kernel features and devices.
|
||||||
|
|
||||||
## Other security features
|
## Other security features
|
||||||
MACs and seccomp are robust tools that may vastly improve container security.
|
MACs and seccomp are robust tools that may vastly improve container security.
|
||||||
|
@ -173,6 +174,8 @@ That is quite verbose indeed, but that's to show you the different options for a
|
||||||
### Network isolation
|
### Network isolation
|
||||||
By default, all Docker containers will use the default network bridge. They will see and be able to communicate with each other. Each container should have its own user-defined bridge network, and each connection between containers should have an internal network. If you intend to run a reverse proxy in front of several containers, you should make a dedicated network for each container you want to expose to the reverse proxy.
|
By default, all Docker containers will use the default network bridge. They will see and be able to communicate with each other. Each container should have its own user-defined bridge network, and each connection between containers should have an internal network. If you intend to run a reverse proxy in front of several containers, you should make a dedicated network for each container you want to expose to the reverse proxy.
|
||||||
|
|
||||||
|
The `--network host` option also shouldn't be used for obvious reasons since the container would share the same network as the host, providing no isolation at all.
|
||||||
|
|
||||||
## Alternative runtimes (gVisor)
|
## Alternative runtimes (gVisor)
|
||||||
`runc` is the reference OCI runtime, but that means other runtimes can exist as well as long as they're compliant with the OCI standard. These runtimes can be interchanged quite seamlessly. There's a few alternatives, such as [crun](https://github.com/containers/crun) or [youki](https://github.com/containers/youki), respectively implemented in C and Rust (`runc` is a Go implementation). However, there is one particular runtime that does a lot more for security: `runsc`, provided by the [gVisor project](https://gvisor.dev/) by the folks at Google.
|
`runc` is the reference OCI runtime, but that means other runtimes can exist as well as long as they're compliant with the OCI standard. These runtimes can be interchanged quite seamlessly. There's a few alternatives, such as [crun](https://github.com/containers/crun) or [youki](https://github.com/containers/youki), respectively implemented in C and Rust (`runc` is a Go implementation). However, there is one particular runtime that does a lot more for security: `runsc`, provided by the [gVisor project](https://gvisor.dev/) by the folks at Google.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue