Skip to content

How to level up your Container Security Journey? Part 1

Part 1

But why Containers?

We use docker for its easy use, portability, and scalability in a very efficient way. I believe it’s a big win if you compare it to VMs or hypervisors.

Scenario: Suppose, I am building a web app and the web app is working in my system as I have configured it by fixing a few errors. Now I have to show it to the client, Client requested He wants to set up and check in his system before going live. Now, I have to set it up in his system and again fix errors depending on the system, he is using.

Docker is a savior, Docker says “I have a feature, let me pack everything that you have configured and I will save this as a docker image, So once your client opens the image in his machine. He will be good to go everything that you have fixed will be in a safe state and packed into the image” See how great it is?

Well, docker is very efficient and optimized when it comes to storage & lot of other features. The reason people choose docker over hypervisor. The scalable solution of docker is Kubernetes.

starting a docker daemon :sudo snap start docker
Building your docker image :
docker pull ubuntu
Installed a few tools (node server) in ubuntu and now let's save this as our image.
docker commit [Container-ID] [newimagename]
docker commit d2e5bd46fd24 ourubuntuimage
To verify, let's see what images we have now in docker?
docker images
docker run -itd -p 8080:80 ourubuntuimage (check localhost:80 in the base machine)
To check running containers
docker ps

Containers vs Images –

Docker image is a lightweight, standalone, executable package of software that includes everything needed to run an application or a service.

A Docker container is an instance of an image. It is a standard unit of software that packages up code and all its dependencies.

As a security guy, I am wondering but how are these images located on the local machine and how is the data associated with the containers written onto the disk?

Docker info

This will give us all the details about the docker, A point to be noted here

Docker Root Dir: /var/lib/docker or /var/snap/docker (Most of the configuration and data associated with Docker is going to be stored inside this directly.)

Storage Driver : overlay2 (latest storage driver)

Jumping into /var/lib/docker/overlay2 ls

Control Groups

Control groups are features of the Linux kernel. It allows us to limit the access processes and containers hav-e to system resources such as CPU, RAM, IOPS, and network. We can enforce limits on docker containers too.

A common use case is to limit the PIDs to prevent fork bombs.

docker run -it —name=cgroups ourubuntuimage
find /sys/fs/cgroup/ -name “CONTAINERID”
cat pids.max

Limiting PID for our docker image

docker run -itd —pids-limit 6 ourubuntuimage


Namespaces are another Linux kernel feature. Isolation is one of the fundamental aspects of containers in Linux.

Docker uses to isolate its containers. Docker Engine uses the following namespaces on Linux :

PID namespace for process isolation

NET namespace for managing network interfaces

IPC namespace for managing access to IPC resources.

MNT namespace for managing file system mount points

UTS namespace for isolating kernel and vision identifiers

User ID (user) namespace for privilege isolation.


Let’s consider a simple example to understand user namespaces, Let’s say that you have built an application that is running inside a container and your application is given root privileges on the container when starting the container.

Let’s assume that you have mounted the segment directly of the host machine onto the container. Now, let’s also assume that an attacker compromised this application and gained root access to the container. Now the question is, can this attacker who gained access to the container modify files on the host’s segment directly?

To be precise An attacker compromised this application and got root access to the container, We mounted the /bin directory of the host onto the container, Can someone modify files on the host’s /bin directory?

Well, It can be. Find out why…