What are containers? What is the difference from a container and a VM? Why should I not always just use VMs for isolation? How can I use containers in a way that I get the most out of the security features they provide?
Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. The world an attacker might see from inside a very strict container with custom AppArmor/seccomp profiles greatly differs than that without the use of containers.
Jessica Frazelle outlines the benefits gained from the Linux primitives used to create containers. Linux namespaces control what a process can see, and Linux control groups control what a process can use. You’ll leave with a clear understanding of the isolation containers provide as well as how to secure them further with AppArmor, seccomp, and SELinux.
Jessica Frazelle is a software engineer at Microsoft, where she works with Linux and containers. Jess loves all things involving Linux namespaces and cgroups and is probably most well known for running desktop applications in containers. Jessica has been a maintainer of Docker and a contributor to RunC, Kubernetes, Linux, and Golang, among other projects, and maintained the AppArmor, seccomp, and SELinux bits in Docker. She is quite familiar with locking down containers.
©2016, O'Reilly Media, Inc. • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com