UPDATE: Read the new article " How to run systemd in a container" for the latest information. What is the scoop on running systemd in a container? A couple of years ago I wrote an article on Running systemd with a docker-formatted Container. Sadly, two years later if you google docker systemd this is still the article people see --- it's time for an update. This is a follow-up for my last article. docker upstream vs. systemd I have given...
Letting the containers out of containment I have written a lot about *Containing the Containers*, e.g. * Are Docker containers really secure?* and * Bringing new security features to Docker*. However, what if you want to ship a container that needs to have access to the host system or other containers? Well, let's talk about removing all the security! Safely? Packaging Model I envision a world where lots of software gets shipped in image format. In other words, the application...
In the first of this series on Docker security, I wrote "containers do not contain." In this second article, I'll cover why and what we're doing about it. Docker, Red Hat, and the open source community are working together to make Docker more secure. When I look at security containers, I am looking to protect the host from the processes within the container, and I'm also looking to protect containers from each other. With Docker we are using the layered...
This article from opensource.com is based on a talk I gave at DockerCon this year. It will discuss Docker container security, where we are currently, and where we are headed. Containers do not contain I hear and read about a lot of people assuming that Docker containers actually sandbox applications—meaning they can run random applications on their system as root with Docker. They believe Docker containers will actually protect their host system. I have heard people say Docker containers are...
UPDATE: Read the new article " How to run systemd in a container" for the latest information. I have been working on Docker for the last few months, mainly getting SELinux added to help CONTAIN Containers. libvirt-sandbox – virt-sandbox-service For the last couple of years I was working on a different container technology using libvirt-lxc, in addition to my regular SELinux job. I built the virt-sandbox-service tool which would carve up your host system into a bunch of service containers...
Article
