Here are few basic built -in security features that docker provides:
Namespaces define the context in which names are defined whether it be variable names or function names. In other words, namespace defines the scope of the names.
Each container in docker creates a set of namespaces specific to the container. Hence is the first and a great method of security between containers.
Control groups facilitate resource accounting and limiting.
Control Groups doesn’t allow a container to exhaust the host system’s CPU, memory, disk I/O, etc.
It also doesn’t allow data and processes of container to be accessed by another container.
- Docker daemon attack surface
When a “docker run “ command is performed docker client speaks to docker daemon who manages the images and containers. Docker daemon needs root privileges.
Extra precaution must be taken to give access only to trusted users to control docker daemon.
A container could even be started from the root directory on your host and the container can alter your host filesystem without any restriction.
- Linux Kernel Capabilities
Containers could be started with a reduced set of capabilities.
This would mean that “root” within a container has fewer privileges than the real “root”. This, in turn, reduces the damage by an intruder with root privileges.