Skip to content

Docker Security

← Back to all decks

33 cards — 🟢 6 easy | 🟡 14 medium | 🔴 6 hard

🟢 Easy (6)

1. A container can cause a kernel panic and bring down the whole host. What preventive actions can you apply to avoid this specific situation?

Show answer * Install only the necessary packages in the container
* Set volumes and container's filesystem to read only
* DO NOT run containers with `--privileged` flag

Gotcha: --privileged disables most security. A privileged container can load kernel modules and crash the host.

2. Which of the following are Linux features that containers use?

Show answer Containers rely on three key Linux features: namespaces (isolate PID, network, mount, user, etc.), cgroups (limit CPU, memory, I/O resources), and SELinux/AppArmor (mandatory access control). Mnemonic: NSC — Namespaces (isolation), SELinux (access control), Cgroups (resource limits). Together they provide defense-in-depth.

3. Name the seven Linux namespace types used by containers.

Show answer pid (process tree), mnt (mount table), net (network stack), uts (hostname), ipc (interprocess communication), user (UID/GID mapping), cgroup (cgroup view).

Remember: PID-MNT-NET-UTS-IPC-USER-CGROUP — "Please Make Networks Useful In Unusual Conditions."

4. What happens to a container without cgroup memory limits on a shared host?

Show answer It can consume all available host memory, starving other containers and the host itself. Cgroups enforce memory limits so one container cannot exhaust the machine.

Gotcha: without limits, one container's memory leak triggers kernel OOM killer — may kill ANY host process.

5. What are Linux capabilities and why do containers drop them?

Show answer Capabilities break root privileges into granular permissions (e.g., CAP_NET_ADMIN, CAP_SYS_ADMIN). Containers drop unnecessary capabilities to limit what a process can do even if it runs as root inside the container.

Example: --cap-drop ALL --cap-add NET_BIND_SERVICE = minimal capabilities for web servers.

6. How do you inspect which namespaces exist on a Linux host?

Show answer Use lsns to list all namespaces with their type, owning PID, and command. Also check /proc//ns/ for per-process namespace membership.

Example: lsns -t net lists all network namespaces. ls -la /proc/1/ns/ shows which namespaces PID 1 belongs to.

Debug clue: nsenter -t -n ip addr lets you enter a container's network namespace and inspect its interfaces from the host.

🟡 Medium (14)

1. Explain Rootless Containers

Show answer Historically, user needed root privileges to run containers. One of the most basic security recommendations is to provide users with minimum privileges for what they need.

For containers it's been the situation for a long time and still for running some containers today from docker.io, you'll need to have root privileges.

Under the hood: rootless containers use user namespaces to remap UID 0 inside the container to an unprivileged UID on the host. Podman was rootless from the start; Docker added rootless mode in v19.03.

Remember: rootless = container runs without host root. Uses user namespaces + FUSE-OverlayFS + Slirp4netns for networking.

2. How can you scan Docker images for vulnerabilities?

Show answer You can scan Docker images for vulnerabilities using specialized tools. One popular tool is Trivy. Here's a basic example:
Install Trivy:
```brew install trivy # for Homebrew on macOS```
Scan an Image:
```trivy image my_image```
Trivy analyzes container images and checks for known vulnerabilities in the installed packages. Other tools like Clair and Anchore can also be used for image vulnerability scanning.

3. Give one example of rootless containers are more safe from security perspective

Show answer In rootless containers, user namespace appears to be running as root but it doesn't, it's executed with regular user privileges. If an attacker manages to get out of the user space to the host with the same privileges, there's not much he can do because it's not root privileges as opposed to containers that run with root privileges.

4. Explain the use of the "--cap-add" and "--cap-drop" options in the "docker run" command.

Show answer • `--cap-add and --cap-drop:` Used to add or drop Linux capabilities in a container. Linux capabilities control the privileges of a process.
```docker run --cap-add=NET_ADMIN my_image```
In this example, the NET_ADMIN capability is added to the container, providing it with the ability to perform network-related tasks. Conversely, --cap-drop is used to drop specific capabilities. projects/knowledge/interview/docker/175-explain-the-use-of-the-cap-add-and-cap-drop-option.txt

5. Are there disadvantages in running rootless containers?

Show answer Yes, the full list can be found [here](https://github.com/containers/podman/blob/main/rootless.md).

Some worth to mention:

- No binding to ports smaller than 1024
- No images sharing CRI-O or other rootful users
- No support running on NFS or parallel filesystem homerdirs
- Some commands don't work (mount, podman stats, checkpoint, restore, ...)

6. What security best practices are there regarding containers?

Show answer * Install only the necessary packages in the container
* Don't run containers as root when possible
* Don't mount the Docker daemon unix socket into any of the containers
* Set volumes and container's filesystem to read only
* DO NOT run containers with `--privileged` flag

7. True or False? It's recommended for production environments that Docker client and server will communicate over network using HTTP socket

Show answer False. Communication between client and server shouldn't be done over HTTP since it's insecure. It's better to enforce the daemon to only accept network connection that are secured with TLS.
Basically, the Docker daemon will only accept secured connections with certificates from trusted CA.

Gotcha: exposing the Docker socket (TCP 2375 unencrypted or 2376 TLS) over the network without TLS gives anyone full root access to the host. The Docker socket is equivalent to root.

Remember: Docker socket = root access. Never expose /var/run/docker.sock to untrusted containers or over unencrypted HTTP.

8. What is Docker Content Trust, and how does it enhance security?

Show answer Docker Content Trust (DCT) is a security feature that uses digital signatures to verify the authenticity and integrity of container images. When enabled, DCT ensures that only signed and verified images can be pulled and run on a Docker host.
To enable Docker Content Trust globally:
```export DOCKER_CONTENT_TRUST=1```
DCT enhances security by:
* Verifying the integrity of images to prevent tampering.
* Ensuring images are signed by trusted publishers.
* Mitigating the risk of using compromised or malicious images.

9. How do you restrict the resources a container can use?

Show answer You can restrict the resources a container can use by using the --cpus and --memory options in the docker run command.
* `--cpus:` Specifies the number of CPUs that a container can use.
```docker run --cpus 2 my_image```
* `--memory:` Limits the amount of memory that a container can use.
```docker run --memory 512m my_image```
These options allow you to control the CPU and memory resources allocated to a container.

10. Explain the purpose of Docker secrets and how they are managed.

Show answer Docker secrets are used to securely manage sensitive information, such as passwords or API keys, in a Docker Swarm environment. Secrets are encrypted during transit and at rest.
**Create a secret:**
```echo "my_secret_value" | docker secret create my_secret_name -```
**Use the secret in a service or container:**
```docker service create --secret my_secret_name my_image```
Secrets are mounted as files in the /run/secrets/ directory within containers, allowing applications to access the sensitive information.

11. When running a container, usually a layered file system is created, but it requires root privileges. How is it then managed in rootless containers?

Show answer New drivers were created to allow creating filesystems in a user namespaces. Drivers like the FUSE-OverlayFS.

Under the hood: FUSE-OverlayFS runs in userspace, allowing layer construction without kernel privileges. It's slower than native overlay2 but enables rootless operation.

Fun fact: kernel 5.11+ supports native overlay with user namespaces, eliminating the need for FUSE-OverlayFS. Rootless performance matches rootful on modern kernels.

12. Why does running as PID 1 inside a container change signal handling behavior?

Show answer PID 1 has special kernel treatment: it does not receive default signal handlers. A regular program running as PID 1 may not respond to SIGTERM unless it explicitly handles it. This is why init systems or tini are sometimes used.

13. Why is running as root inside a container not the same as being safe?

Show answer Root inside a container still has kernel-level privileges unless capabilities are dropped and user namespaces are configured. A kernel exploit or misconfigured mount can allow container escape to host root.

War story: CVE-2019-5736 (runc container escape) allowed a malicious container running as root to overwrite the host runc binary and gain host root access. Defense: run as non-root, use user namespaces.

Remember: 'Root in container = root on host' unless user namespaces remap UIDs. Always drop capabilities with --cap-drop ALL.

14. How do you check which cgroup limits are active for a containerized process?

Show answer Read /proc/self/cgroup from inside the container, or inspect the cgroup filesystem (usually /sys/fs/cgroup/) for the container's cgroup path. Docker/podman inspect also shows resource limits.

Example: cat /sys/fs/cgroup/memory/memory.limit_in_bytes (cgroup v1) or cat /sys/fs/cgroup/memory.max (cgroup v2) shows the memory limit.

Remember: cgroup v1 uses per-controller hierarchies (/sys/fs/cgroup/memory/, /sys/fs/cgroup/cpu/). cgroup v2 uses a unified hierarchy (/sys/fs/cgroup/). RHEL 9+ and Ubuntu 22.04+ default to v2.

🔴 Hard (6)

1. How container achieve isolation from the rest of the system?

Show answer Through the use of namespaces and cgroups. Linux kernel has several types of namespaces:

- Process ID namespaces: these namespaces include independent set of process IDs
- Mount namespaces: Isolation and control of mountpoints
- Network namespaces: Isolates system networking resources such as routing table, interfaces, ARP table, etc.
- UTS namespaces: Isolate host and domains
- IPC namespaces: Isolates interprocess communications
- User namespaces: Isolate user and group IDs
- Time namespaces: Isolates system clocks

2. How does Docker ensure isolation between containers?

Show answer Docker ensures isolation between containers through several mechanisms:
* Namespace Isolation: Docker uses Linux namespaces to create isolated environments for containers. Each container has its own set of namespaces, such as PID, network, and mount namespaces, preventing processes in one container from seeing or interacting with processes in other containers.
* Control Groups (cgroups): Docker leverages cgroups to limit the resource usage of containers, such as CPU, memory, and I/O.

3. What Linux kernel features does containers use?

Show answer * cgroups (Control Groups): used for limiting the amount of resources a certain groups of processes (and their children of course) use. This way, a group of processes isn't consuming all host resources and other groups can run and use part of the resources as well

* namespaces: same as cgroups, namespaces isolate some of the system resources so it's available only for processes in the namespace. Differently from cgroups the focus with namespaces is on resources like mount points, IPC, network, ...

4. How do you enable and configure user namespaces in Docker?

Show answer User namespaces in Docker provide a way to map container user IDs to non-privileged host user IDs. To enable user namespaces:
**Edit the Docker daemon configuration file (typically /etc/docker/daemon.json):**
```\n{\n "userns-remap": "default"\n}\n```
**Restart the Docker daemon:**
```\nsystemctl restart docker\n```
This configuration sets up user namespace remapping with the default user. You can customize the mapping by specifying a different user or using custom UID/GID ranges.

5. Describe difference between cgroups and namespaces

Show answer cgroup: Control Groups provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behavior.
namespace: wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource.

In short:

Cgroups = limits how much you can use;
namespaces = limits what you can see (and therefore use)

Cgroups involve resource metering and limiting:
memory
CPU
block I/O
network

Namespaces provide processes with their own view of the system

Multiple namespaces: pid,net, mnt, uts, ipc, user

6. What are Docker security best practices?

Show answer Docker security best practices:

- **Use official/verified images**: Minimize supply chain risk
- **Run as non-root**: Use USER directive in Dockerfile
- **Minimize image size**: Use multi-stage builds, slim base images. Fewer packages = smaller attack surface
- **Scan for vulnerabilities**: Use `docker scout`, Trivy, or Snyk in CI
- **Don't store secrets in images**: Use runtime secrets (Docker secrets, env vars, vault)
- **Read-only filesystem**: `--read-only` flag where possible
- **Limit capabilities**: Drop all caps, add only what's needed (`--cap-drop ALL --cap-add NET_BIND_SERVICE`)
- **Use content trust**: `DOCKER_CONTENT_TRUST=1` to verify image signatures