rhetenor/awesome-awesomeness
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
awesome-awesomeness/html/linuxcontainers.html
rhetenor 5916c5c074 update lists
2025-07-18 22:22:32 +02:00

707 lines
34 KiB
HTML
Raw Permalink Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
<h1 id="awesome-linux-containers">Awesome Linux Containers</h1>
<p><a href="https://bysol.org/en/"><img
src="https://img.shields.io/badge/Belarus-red?label=%23%20Stand%20With&amp;labelColor=white&amp;color=red"
alt="#StandWithBelarus" />
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/e/ea/Presidential_Standard_of_Belarus_%28fictional%29.svg/240px-Presidential_Standard_of_Belarus_%28fictional%29.svg.png" width="20" height="20" alt="Voices From Belarus" /></a>
<a href="https://vshymanskyy.github.io/StandWithUkraine"><img
src="https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/badges/StandWithUkraine.svg"
alt="Stand With Ukraine" /></a></p>
<p><a href="https://github.com/sindresorhus/awesome"><img
src="https://cdn.rawgit.com/sindresorhus/awesome/d7305f38d29fed78fa85652e3a63e154dd8e8829/media/badge.svg"
alt="Awesome" /></a></p>
<h2 id="table-of-contents">Table of Contents</h2>
<ul>
<li><a href="#About-the-Author">About the Author</a></li>
<li><a href="#foundations">Foundations</a></li>
<li><a href="#specifications">Specifications</a></li>
<li><a href="#clouds">Clouds</a></li>
<li><a href="#operating-systems">Operating Systems</a></li>
<li><a href="#hypervisors">Hypervisors</a></li>
<li><a href="#containers">Containers</a></li>
<li><a href="#sandboxes">Sandboxes</a></li>
<li><a href="#partial-access">Partial Access</a></li>
<li><a href="#filesystem">Filesystem</a></li>
<li><a href="#dashboard">Dashboard</a></li>
<li><a href="#best-practices">Best practices</a></li>
<li><a href="#security">Security</a>
<ul>
<li><a href="#tools">Tools</a></li>
<li><a href="#links">Links</a></li>
<li><a href="#levels-of-security-problems">Levels of security
problems</a></li>
<li><a href="#technologies-for-security">Technologies for
security</a></li>
</ul></li>
<li><a href="#another-information-sources">Another Information
Sources</a></li>
</ul>
<h2 id="about-the-author">About the Author</h2>
<p>Hello, everyone! My name is Filipp, and I have been working with high
load distribution systems and services, security, monitoring, continuous
deployment and release management (DevOps domain) since 2012.</p>
<p>One of my passions is developing DevOps solutions and contributing to
the open-source community. By sharing my knowledge and experiences, I
strive to save time for both myself and others while fostering a culture
of collaboration and learning.</p>
<p>I had to leave my home country, Belarus, due to my participation in
<a
href="https://en.wikipedia.org/wiki/2020%E2%80%932021_Belarusian_protests">protests
against the oppressive regime of dictator Lukashenko</a>, who maintains
a close affiliation with Putin. Since then, Im trying to build my life
from zero in other countries.</p>
<p>If you are seeking a skilled DevOps lead or architect to enhance your
project, I invite you to connect with me on <a
href="https://www.linkedin.com/in/filipp-frizzy-289a0360/">LinkedIn</a>
or explore my valuable contributions on <a
href="https://github.com/Friz-zy/">GitHub</a>. Lets collaborate and
create some cool solutions together :)</p>
<h2 id="foundations">Foundations</h2>
<ul>
<li><a href="https://www.opencontainers.org/">OPEN CONTAINER
INITIATIVE</a><br />
The Open Container Initiative is a lightweight, open governance
structure, to be formed under the auspices of the Linux Foundation, for
the express purpose of creating open industry standards around container
formats and runtime.</li>
<li><a href="https://cncf.io/">Cloud Native Computing
Foundation</a><br />
The Cloud Native Computing Foundation will create and drive the adoption
of a new set of common container technologies informed by technical
merit and end user value, and inspired by Internet-scale computing.</li>
<li><a href="https://www.cloudfoundry.org/foundation/">Cloud Foundry
Foundation</a><br />
The Cloud is our foundry.</li>
</ul>
<h2 id="specifications">Specifications</h2>
<ul>
<li><a href="https://github.com/opencontainers/specs">Open Container
Specifications</a><br />
This project is where the Open Container Initiative Specifications are
written. This is a work in progress.</li>
<li><a
href="https://github.com/coreos/rkt/blob/master/Documentation/app-container.md">App
Container basics</a><br />
App Container (appc) is an open specification that defines several
aspects of how to run applications in containers: an image format,
runtime environment, and discovery protocol.</li>
<li><a
href="https://wiki.freedesktop.org/www/Software/systemd/ContainerInterface/">Systemd
Container Interface</a><br />
Systemd is a suite of basic building blocks for a Linux system. It
provides a system and service manager that runs as PID 1 and starts the
rest of the system. If you write a container solution, please consider
supporting the following interfaces.</li>
<li><a
href="https://github.com/projectatomic/atomicapp/tree/master/docs/spec">Nulecule
Specification</a><br />
Nulecule defines a pattern and model for packaging complex
multi-container applications and services, referencing all their
dependencies, including orchestration metadata in a container image for
building, deploying, monitoring, and active management.</li>
<li><a
href="https://blogs.oracle.com/developers/the-microcontainer-manifesto">Oracle
microcontainer manifesto</a><br />
This is not a new container format, but simply a specific method for
constructing a container that allows for better security and
stability.</li>
<li><a href="https://github.com/deislabs/cnab-spec">Cloud Native
Application Bundle Specification</a><br />
A package format specification that describes a technology for bundling,
installing, and managing distributed applications, that are by design,
cloud agnostic.</li>
</ul>
<h2 id="clouds">Clouds</h2>
<ul>
<li><a href="https://aws.amazon.com/ecs/">Amazon EC2 Container
Service</a><br />
Container management service that supports Docker containers and allows
you to easily run applications on a managed cluster of Amazon EC2
instances.</li>
<li><a href="https://cloud.google.com/container-engine/">Google Cloud
Platform</a><br />
Run Docker containers on Google Cloud Platform, powered by Kubernetes.
Google Container Engine actively schedules your containers, based on
declared needs, on a managed cluster of virtual machines.</li>
<li><a href="http://jelastic.com/">Jelastic</a><br />
Unlimited PaaS and Container-Based IaaS in a Joint Cloud Solution for
DevOps.</li>
<li><a href="https://www.joyent.com/">Joyent</a><br />
High-Performance Container-Native Infrastructure for Todays Demanding
Real-Time Web and Mobile Applications.</li>
<li><a href="http://kubernetes.io/">Kubernetes</a><br />
Manage a cluster of Linux containers as a single system to accelerate
Dev and simplify Ops.</li>
<li><a href="https://mesosphere.com/">Mesosphere</a><br />
The Mesosphere Datacenter Operating System (DCOS) is a new kind of
operating system that spans all of the machines in your datacenter or
cloud. It provides a highly elastic, and highly scalable way of
deploying applications, services and big data infrastructure on shared
resources.</li>
<li><a href="https://www.openshift.org/">OpenShift Origin</a><br />
OpenShift Origin is a distribution of <a
href="http://kubernetes.io/">Kubernetes</a> optimized for continuous
application development and multi-tenant deployment. Origin adds
developer and operations-centric tools on top of Kubernetes to enable
rapid application development, easy deployment and scaling, and
long-term lifecycle maintenance for small and large teams.</li>
<li><a href="https://github.com/cloudfoundry/warden">Warden</a><br />
Manages isolated, ephemeral, and resource controlled environments. Part
of Cloud Foundry - the open platform as a service project.</li>
<li><a href="https://virtuozzo.com">Virtuozzo</a><br />
A platform, built on Virtuozzo containers, that can be easily run on top
of any bare-metal or virtual servers in any public or private cloud, to
automate, optimize, and accelerate internal IT and development
processes.</li>
<li><a href="http://rancher.com/">Rancher</a><br />
Rancher is a complete, open source platform for deploying and managing
containers in production. It includes commercially-supported
distributions of Kubernetes, Mesos, and Docker Swarm, making it easy to
run containerized applications on any infrastructure.</li>
<li><a href="https://docs.docker.com/engine/swarm/">Docker
Swarm</a><br />
Docker Swarm is native clustering for Docker.</li>
<li><a
href="https://azure.microsoft.com/en-us/services/container-service/">Azure
Container Service</a><br />
Azure Container Service optimizes the configuration of popular open
source tools and technologies specifically for Azure.</li>
<li><a href="https://ciao-project.github.io/">CIAO</a><br />
Cloud Integrated Advanced Orchestrator for Intel Clear Linux OS.</li>
<li><a
href="https://www.alibabacloud.com/fr/product/container-service">Alibaba
Cloud Container Service</a><br />
Container Service is a high-performance and scalable container
application management service that enables you to use Docker and
Kubernetes to manage the lifecycle of containerized applications.</li>
<li><a href="https://www.nomadproject.io/">Nomad</a><br />
HashiCorp Nomad is a single binary that schedules applications and
services on Linux, Windows, and Mac. It is an open source scheduler that
uses a declarative job file for scheduling virtualized, containerized,
and standalone applications.</li>
</ul>
<h2 id="operating-systems">Operating Systems</h2>
<ul>
<li><a href="https://coreos.com/">CoreOs</a><br />
A lightweight Linux operating system designed for clustered deployments
providing automation, security, and scalability for your most critical
applications.</li>
<li><a href="http://rancher.com/rancher-os/">RancherOS</a><br />
RancherOS is a tiny Linux distro that runs the entire OS as Docker
containers.</li>
<li><a href="http://www.projectatomic.io/">Project Atomic</a><br />
Project Atomic provides the best platform for your Linux Docker
Kubernetes (LDK) application stack. Use immutable infrastructure to
deploy and scale your containerized applications.</li>
<li><a href="https://www.ubuntu.com/cloud/snappy">Snappy Ubuntu
Core</a><br />
Ubuntu Core is the perfect system for large-scale cloud container
deployments, bringing transactional updates to the worlds favourite
container platform.</li>
<li><a href="https://resinos.io/">ResinOS</a><br />
A host OS tailored for containers, designed for reliability, proven in
production.</li>
<li><a href="https://github.com/vmware/photon">Photon</a><br />
Photon OS is a minimal Linux container host designed to have a small
footprint and tuned for VMware platforms. Photon is intended to invite
collaboration around running containerized and Linux applications in a
virtualized environment.</li>
<li><a href="https://clearlinux.org">Clear Linux Project</a><br />
The Clear Linux Project for Intel Architecture is a distribution built
for various Cloud use cases.</li>
<li><a href="https://cargos.io/">CargOS</a><br />
CargOS is a new lightweight, open source, platform for Docker hosts that
aims for speed, manageability and security. Releases are built for
64-bit Intel/AMD CPUs.</li>
<li><a href="http://osv.io/">OSv</a><br />
OSv is the open source operating system designed for the cloud. Built
from the ground up for effortless deployment and management, with
superior performance.</li>
<li><a href="http://blog.hypriot.com/about/">HypriotOS</a><br />
Minimal Debian-based operating systems that is optimized to run Docker.
It made it dead easy use Docker on any Raspberry Pi.</li>
<li><a href="https://mcl.host">MCL</a><br />
MCL (<em>Minimal Container Linux</em>) is a from scratch minimal Linux
OS designed specifically to run containers. It has a small footprint of
~50MB and boots within seconds. It is currently optimized to run
Docker.</li>
</ul>
<h2 id="hypervisors">Hypervisors</h2>
<ul>
<li><a
href="https://github.com/veggiemonk/awesome-docker#cloud-infrastructure">Docker</a><br />
An open platform for distributed applications for developers and
sysadmins. <strong>Standard de facto</strong>.</li>
<li><a href="https://github.com/lxc/lxd">LXD</a><br />
Daemon based on liblxc offering a REST API to manage LXC
containers.</li>
<li><a href="https://openvz.org/">OpenVZ</a><br />
OpenVZ is container-based virtualization for Linux. OpenVZ creates
multiple secure, isolated Linux containers (otherwise known as VEs or
VPSs) on a single physical server enabling better server utilization and
ensuring that applications do not conflict.</li>
<li><a
href="https://github.com/marty90/multidocker">MultiDocker</a><br />
Create a secure multi-user Docker machine, where each user is segregated
into an indepentent container.</li>
<li><a href="https://github.com/tailhook/lithos/">Lithos</a><br />
Lithos is a process supervisor and containerizer for running services.
It is not intended to be system init, but rather tries to be a base tool
to build container orchestration.</li>
<li><a href="https://containerd.io/">containerd</a><br />
A container runtime which can manage a complete container lifecycle -
from image transfer/storage to container execution, supervision and
networking.</li>
</ul>
<h2 id="containers">Containers</h2>
<ul>
<li><a href="https://github.com/opencontainers/runc">runc</a><br />
runc is a CLI tool for spawning and running containers according to the
OCS specification.</li>
<li><a href="https://github.com/p8952/bocker">Bocker</a><br />
Docker implemented in around 100 lines of bash.</li>
<li><a href="https://github.com/coreos/rkt">Rocket</a><br />
rkt (pronounced “rock-it”) is a CLI for running app containers on Linux.
rkt is designed to be composable, secure, and fast. Based on AppC
specification.</li>
<li><a href="https://github.com/lxc/lxc">LXC</a><br />
LXC is the well known set of tools, templates, library and language
bindings. Its pretty low level, very flexible and covers just about
every containment feature supported by the upstream kernel.</li>
<li><a href="https://github.com/tailhook/vagga">Vagga</a><br />
Vagga is a fully-userspace container engine inspired by Vagrant and
Docker, specialized for development environments.</li>
<li><a href="https://github.com/xemul/libct">libct</a><br />
Libct is a containers management library which provides convenient API
for frontend programs to rule a container during its whole
lifetime.</li>
<li><a href="https://libvirt.org/drvlxc.html">libvirt</a><br />
A big toolkit to interact with the virtualization capabilities of recent
versions of Linux (and other OSes).</li>
<li><a
href="https://wiki.archlinux.org/index.php/Systemd-nspawn">systemd-nspawn</a><br />
Spawn a namespace container for debugging, testing and building. Part of
<a
href="https://wiki.freedesktop.org/www/Software/systemd/">systemd</a>.</li>
<li><a href="https://github.com/yandex/porto">porto</a><br />
The main goal of Porto is to create a convenient, reliable interface
over several Linux kernel mechanism such as cgroups, namespaces, mounts,
networking etc.</li>
<li><a href="https://github.com/indigo-dc/udocker">udocker</a><br />
A basic user tool to execute simple containers in batch or interactive
systems without root privileges.</li>
<li><a href="https://github.com/google/lmctfy">Let Me Contain That For
You</a><br />
LMCTFY is the open source version of Googles container stack, which
provides Linux application containers.</li>
<li><a
href="https://github.com/01org/cc-oci-runtime">cc-oci-runtime</a><br />
Intel Clear Linux OCI (Open Containers Initiative) compatible
runtime.</li>
<li><a href="https://github.com/oracle/railcar">railcar</a><br />
Railcar is a rust implementation of the opencontainers initiatives
runtime spec. It is similar to the reference implementation runc, but it
is implemented completely in rust for memory safety without needing the
overhead of a garbage collector or multiple threads.</li>
<li><a href="https://katacontainers.io/">Kata Containers</a><br />
Kata Containers is a new open source project building extremely
lightweight virtual machines that seamlessly plug into the containers
ecosystem.</li>
<li><a href="https://github.com/ihucos/plash/">plash</a><br />
Lightweight, rootless containers.</li>
<li><a href="https://github.com/hyperhq/runv">runv</a><br />
Hypervisor-based (KVM, Xen, QEMU) Runtime for OCI. Security by
isolation.</li>
<li><a href="https://github.com/containers/libpod">podman</a><br />
Full management of container lifecycle.</li>
<li><a
href="https://github.com/firecracker-microvm/firecracker">firecracker</a><br />
Firecracker runs workloads in lightweight virtual machines, called
microVMs, which combine the security and isolation properties provided
by hardware virtualization technology with the speed and flexibility of
containers.</li>
<li><a href="https://github.com/nestybox/sysbox">sysbox</a><br />
Sysbox is a “runc” that creates secure (rootless) containers / pods that
run not just microservices, but most workloads that run in VMs (e.g.,
systemd, Docker, and Kubernetes), seamlessly.</li>
<li><a href="https://github.com/containers/youki">youki</a><br />
A container runtime written in Rust.</li>
<li><a
href="https://github.com/weaveworks/footloose">footloose</a><br />
Containers that look like Virtual Machines.</li>
</ul>
<h2 id="sandboxes">Sandboxes</h2>
<ul>
<li><a
href="https://l3net.wordpress.com/projects/firejail/">Firejail</a><br />
Firejail is a SUID sandbox program that reduces the risk of security
breaches by restricting the running environment of untrusted
applications using Linux namespaces, seccomp-bpf and Linux
capabilities.</li>
<li><a href="https://github.com/google/nsjail">NsJail</a><br />
NsJail is a process isolation tool for Linux. It makes use of the
namespacing, resource control, and seccomp-bpf syscall filter subsystems
of the Linux kernel.</li>
<li><a
href="https://github.com/subuser-security/subuser">Subuser</a><br />
Securing the Linux desktop with Docker.</li>
<li><a
href="https://wiki.ubuntu.com/SecurityTeam/Specifications/SnappyConfinement">Snappy</a><br />
Snappy Ubuntu Core is a new rendition of Ubuntu with transactional
updates - a minimal server image with the same libraries as todays
Ubuntu, but applications are provided through a simpler mechanism.</li>
<li><a
href="https://wiki.gnome.org/Projects/SandboxedApps">xdg-app</a><br />
xdg-app is a system for building, distributing and running sandboxed
desktop applications on Linux.</li>
<li><a
href="https://github.com/projectatomic/bubblewrap">Bubblewrap</a><br />
Run applications in a sandbox using Linux namespaces without root
privileges, with user namespacing provided via setuid binary.</li>
<li><a
href="https://github.com/singularityware/singularity">singularity</a><br />
Universal application containers for Linux.</li>
<li><a href="https://github.com/parke/lxroot">Lxroot</a><br />
Lxroot is a flexible, lightweight, and safer alternative to chroot
and/or Docker for non-root users on Linux.</li>
</ul>
<h2 id="partial-access">Partial Access</h2>
<ul>
<li><a
href="http://man7.org/linux/man-pages/man1/nsenter.1.html">nsenter</a><br />
Run program with namespaces of other processes. Part of the
util-linux.</li>
<li><a
href="http://man7.org/linux/man-pages/man8/ip-netns.8.html">ip-netns</a><br />
Process network namespace management. Part of the iproute2.</li>
<li><a
href="http://man7.org/linux/man-pages/man1/unshare.1.html">unshare</a><br />
Run program with some namespaces unshared from parent. Part of the
util-linux.</li>
<li><a
href="https://github.com/zalando/python-nsenter">python-nsenter</a><br />
This Python package allows entering Linux kernel namespaces (mount, IPC,
net, PID, user and UTS) by doing the “setns” syscall.</li>
<li><a href="https://pypi.python.org/pypi/butter">butter</a><br />
Python library to interface to low level linux features (inotify,
fanotify, timerfd, signalfd, eventfd, containers) with asyncio
support.</li>
<li><a href="https://github.com/Friz-zy/pyspaces">pyspaces</a><br />
Works with Linux namespaces through glibc with pure python.</li>
<li><a href="https://criu.org/Main_Page">CRIU</a><br />
Checkpoint/Restore In Userspace is a software tool for Linux operating
system. Using this tool, you can freeze a running application (or part
of it) and checkpoint it to a hard drive as a collection of files. CRIU
integrated with Docker and LXC to implement Live migration of
containers.</li>
<li><a href="https://github.com/moby/moby">Moby</a><br />
A “Lego set” of toolkit components for containers software created by
Docker.</li>
</ul>
<h2 id="filesystem">Filesystem</h2>
<ul>
<li><a
href="https://github.com/GoogleCloudPlatform/container-diff">container-diff</a><br />
A tool for analyzing and comparing container images.</li>
<li><a href="https://github.com/projectatomic/buildah">buildah</a><br />
A tool which facilitates building OCI container images.</li>
<li><a href="https://github.com/projectatomic/skopeo">skopeo</a><br />
Work with remote images registries - retrieving information, images,
signing content.</li>
<li><a href="https://github.com/jessfraz/img">img</a><br />
Standalone, daemon-less, unprivileged Dockerfile and OCI compatible
container image builder.</li>
<li><a href="https://github.com/blablacar/dgr">dgr</a><br />
Command line utility designed to build and to configure at runtime App
Containers Images (ACI) and App Container Pods (POD) based on convention
over configuration.</li>
<li><a href="https://github.com/P3GLEG/Whaler">Whaler</a><br />
Whaler is designed to reverse engineer a Docker Image into the
Dockerfile that created it.</li>
<li><a href="https://github.com/wagoodman/dive">dive</a><br />
A tool for exploring each layer in a docker image.</li>
<li><a
href="https://github.com/google/go-containerregistry">go-containerregistry</a><br />
Go library and CLIs for working with container registries.</li>
<li><a
href="https://github.com/GoogleContainerTools/kaniko">kaniko</a><br />
Kaniko is a tool to build container images from a Dockerfile, inside a
container or Kubernetes cluster.</li>
<li><a href="https://umo.ci/">umoci</a><br />
Umoci is a tool to manipulate OCI container images, and can be used as a
rudimentary build tool.</li>
<li><a href="https://github.com/christian-korneck/docker-pushrm">docker
pushrm</a><br />
A Docker CLI plugin that that lets you push the README.md file from the
current directory to a container registry. Supports Docker Hub, Quay and
Harbor.</li>
</ul>
<h2 id="dashboard">Dashboard</h2>
<ul>
<li><a href="https://lxc-webpanel.github.io/">LXC-Web-Panel</a><br />
Web panel for LXC on Ubuntu.</li>
<li><a href="https://github.com/salihciftci/liman">Liman</a><br />
Basic docker monitoring web application.</li>
<li><a href="https://github.com/portainer/portainer">portainer</a><br />
Lightweight Docker management UI.</li>
<li><a href="https://github.com/swarmpit/swarmpit">swarmpit</a><br />
Lightweight mobile-friendly Docker Swarm management UI.</li>
</ul>
<h2 id="best-practices">Best practices</h2>
<ul>
<li><a href="https://12factor.net/">The Twelve-Factor App</a><br />
The twelve-factor app is a methodology for building
software-as-a-service apps.</li>
<li><a
href="http://docs.projectatomic.io/container-best-practices/">Container
Best Practices</a><br />
A collaborative project to document container-based application
architecture, creation and management from Project Atomic.</li>
</ul>
<h2 id="security">Security</h2>
<h3 id="tools">Tools</h3>
<ul>
<li><a href="https://github.com/docker/docker-bench-security">Docker
bench security</a><br />
The Docker Bench for Security is a script that checks for dozens of
common best-practices around deploying Docker containers in
production.</li>
<li><a
href="https://coreos.com/blog/vulnerability-analysis-for-containers/">CoreOS
Clair</a><br />
Open Source Vulnerability Analysis for your Containers.</li>
<li><a href="https://github.com/jfrazelle/bane">bane</a><br />
Custom AppArmor profile generator for docker containers.</li>
<li><a
href="https://github.com/OpenSCAP/container-compliance">OpenSCAP</a><br />
The OpenSCAP ecosystem provides multiple tools to assist administrators
and auditors with assessment, measurement and enforcement of security
baselines.</li>
<li><a href="https://github.com/zuBux/drydock">drydock</a><br />
Drydock provides a flexible way of assessing the security of your Docker
daemon configuration and containers using editable audit templates.</li>
<li><a href="https://www.aporeto.com/trireme/">trireme</a><br />
Security by segmentation for Docker and Kubernetes.</li>
<li><a href="https://github.com/aelsabbahy/goss">goss</a><br />
Quick and Easy server testing/validation.</li>
<li><a href="https://github.com/buildkite/sockguard">sockguard</a><br />
A proxy for docker.sock that enforces access control and isolated
privileges.</li>
<li><a href="https://github.com/google/gvisor">gvisor</a><br />
gVisor is a user-space kernel, written in Go, that implements a
substantial portion of the Linux system surface. It includes an Open
Container Initiative (OCI) runtime called runsc that provides an
isolation boundary between the application and the host kernel. The
runsc runtime integrates with Docker and Kubernetes, making it simple to
run sandboxed containers.</li>
<li><a
href="https://github.com/google/docker-explorer/">docker-explorer</a><br />
A tool to help forensicate offline docker acquisitions.</li>
<li><a
href="https://github.com/containers/oci-seccomp-bpf-hook">oci-seccomp-bpf-hook</a><br />
OCI hook to trace syscalls and generate a seccomp profile.</li>
</ul>
<h3 id="links">Links</h3>
<ul>
<li><a href="https://benchmarks.cisecurity.org/about/">CIS Security
Benchmarks</a></li>
<li><a
href="https://opensource.com/business/14/7/docker-security-selinux">Are
Docker containers really secure?</a></li>
<li><a
href="https://opensource.com/business/14/9/security-for-docker">Bringing
new security features to Docker</a></li>
<li><a
href="http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security">Docker,
Linux Containers (LXC), and security</a></li>
<li><a
href="http://www.itworld.com/article/2920349/security/for-containers-security-is-problem-1.html">For
containers, security is problem #1</a></li>
<li><a href="https://mjg59.dreamwidth.org/33170.html">Linux Container
Security</a></li>
<li><a href="https://news.ycombinator.com/item?id=10030868">Ask HN: Best
Linux sandbox?</a></li>
<li><a
href="https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf">CIS
Docker 1.6 Benchmark v1.0.0</a></li>
<li><a
href="https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/">Understanding
docker security and best practices</a></li>
<li><a
href="https://insights.ubuntu.com/2015/10/15/update-on-ubuntu-phone-security-issue/">Update
on Ubuntu Phone security issue</a></li>
<li><a
href="https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container/">Dont
expose the Docker socket (not even to a container)</a></li>
<li><a
href="http://rhelblog.redhat.com/?s=container&amp;submit=Search">RedHat
Blog</a>
<ul>
<li><a href="https://access.redhat.com/articles/1353593">Introduction to
Linux Containers</a></li>
<li><a
href="http://rhelblog.redhat.com/2015/07/07/whats-next-for-containers-user-namespaces/#more-1004">Whats
Next for Containers? User Namespaces</a></li>
<li><a
href="http://rhelblog.redhat.com/2015/07/29/architecting-containers-part-1-user-space-vs-kernel-space/">Architecting
Containers Part 1: Why Understanding User Space vs. Kernel Space
Matters</a></li>
<li><a
href="http://rhelblog.redhat.com/2015/09/17/architecting-containers-part-2-why-the-user-space-matters-2/">Architecting
Containers Part 2: Why the User Space Matters</a></li>
<li><a
href="http://rhelblog.redhat.com/2016/10/17/secure-your-containers-with-this-one-weird-trick/">Secure
Your Containers with this One Weird Trick</a></li>
</ul></li>
<li><a
href="https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/">Why
you shouldnt use ENV variables for secret data</a></li>
<li><a
href="http://searchitoperations.techtarget.com/tip/When-to-use-Docker-alternatives-rkt-and-LXD">When
to use-Docker alternatives rkt and LXD</a></li>
<li><a href="https://platform.sh/blog/2020/the-container-is-a-lie/">The
container is a lie</a></li>
</ul>
<h3 id="levels-of-security-problems">Levels of security problems</h3>
<ol type="1">
<li>regular application</li>
</ol>
<ul>
<li>always untrusted -&gt; know it</li>
<li>suid bit -&gt; mount with nosuid</li>
<li>limit available syscall -&gt; seccomp-bpf, grsec</li>
<li>leak to another container (bug in namespaces, filesystem) -&gt; user
namespaces with different uid inside for each container: 1000 in
container - 14293 and 15398 outside; security modules like selinux or
apparmor</li>
</ul>
<ol start="2" type="1">
<li>system services like cron, ssh</li>
</ol>
<ul>
<li>run as root -&gt; isolate via bastion host or vm</li>
<li>using /dev -&gt; “devices” control group<br />
The following device nodes are created in the container by
default.<br />
The Docker images are also mounted with nodev, which means that even if
a device node was pre-created in the image, it could not be used by
processes within the container to talk to the kernel.<br />
/dev/console,/dev/null,/dev/zero,/dev/full,/dev/tty*,/dev/urandom,/dev/random,/dev/fuse</li>
<li>root calls -&gt; capabilities (cap_sys_admin warning!)<br />
Here is the current list of capabilities that Docker uses: chown,
dac_override, fowner, kill, setgid, setuid, setpcap, net_bind_service,
net_raw, sys_chroot, mknod, setfcap, and audit_write.<br />
Docker removes several of these capabilities including the
following:<br />
CAP_SETPCAP Modify process capabilities<br />
CAP_SYS_MODULE Insert/Remove kernel modules<br />
CAP_SYS_RAWIO Modify Kernel Memory<br />
CAP_SYS_PACCT Configure process accounting<br />
CAP_SYS_NICE Modify Priority of processes<br />
CAP_SYS_RESOURCE Override Resource Limits<br />
CAP_SYS_TIME Modify the system clock<br />
CAP_SYS_TTY_CONFIG Configure tty devices<br />
CAP_AUDIT_WRITE Write the audit log<br />
CAP_AUDIT_CONTROL Configure Audit Subsystem<br />
CAP_MAC_OVERRIDE Ignore Kernel MAC Policy<br />
CAP_MAC_ADMIN Configure MAC Configuration<br />
CAP_SYSLOG Modify Kernel printk behavior<br />
CAP_NET_ADMIN Configure the network<br />
CAP_SYS_ADMIN Catch all<br />
uses /proc, /sys -&gt; remount ro, drop cap_sys_admin; security modules
like selinux or apparmor; some part of this fs are
“namespace-aware”<br />
Docker mounts these file systems into the container as “read-only” mount
points.<br />
. /sys<br />
. /proc/sys<br />
. /proc/sysrq-trigger<br />
. /proc/irq<br />
. /proc/bus<br />
Copy-on-write file systems<br />
Docker uses copy-on-write file systems. This means containers can use
the same file system image as the base for the container. When a
container writes content to the image, it gets written to a container
specific file system. This prevents one container from seeing the
changes of another container even if they wrote to the same file system
image. Just as important, one container can not change the image content
to effect the processes in another container.</li>
<li>uid 0 -&gt; user namespaces, uid 0 mappet to random uid outside</li>
</ul>
<ol start="3" type="1">
<li>system services like devices, network, filesystems</li>
</ol>
<ul>
<li>root -&gt; more of services should work on host outside; isolate
sensitive functions, run as non-privileged context</li>
<li>full privileges -&gt; isolate on kernel level</li>
</ul>
<ol start="4" type="1">
<li>kernel drivers, network stack, security policies</li>
</ol>
<ul>
<li>absolute privileges -&gt; run it in separate vm</li>
</ul>
<ol start="5" type="1">
<li>general like immutable infrastructure</li>
</ol>
<ul>
<li>container is ro</li>
<li>write to small separate rw nosuid part</li>
</ul>
<p><a
href="http://www.slideshare.net/jpetazzo/docker-linux-containers-lxc-and-security">src</a><br />
<a
href="https://opensource.com/business/14/9/security-for-docker">src</a></p>
<h3 id="technologies-for-security">Technologies for security</h3>
<p>Things are better. For example, most modern container technologies
can make use of Linuxs built-in security tools such as:<br />
<a href="http://wiki.apparmor.net/index.php/Main_Page">AppArmor</a>, <a
href="http://selinuxproject.org/page/Main_Page">SELinux</a> and <a
href="http://man7.org/linux/man-pages/man2/seccomp.2.html">Seccomp</a>
policies;<br />
<a href="https://grsecurity.net/">Grsecurity</a>;<br />
<a
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html">Control
groups (cgroups)</a>;<br />
<a href="http://man7.org/linux/man-pages/man7/namespaces.7.html">Kernel
namespaces</a><br />
<a
href="http://www.itworld.com/article/2920349/security/for-containers-security-is-problem-1.html">src</a></p>
<p>Sure, youre deploying seccomp, but you cant use selinux inside your
container, because the policy isnt per-namespace (?? lxc uses apparmore
for each container…)<br />
<a href="http://selinuxproject.org/page/SVirt">sVirt</a> - selinux for
kvm<br />
<a href="https://mjg59.dreamwidth.org/33170.html">src</a></p>
<p>Major kernel subsystems are not namespaced like:<br />
- SELinux<br />
- Cgroups<br />
- file systems under /sys<br />
- /proc/sys, /proc/sysrq-trigger, /proc/irq, /proc/bus</p>
<p>Devices are not namespaced:<br />
- /dev/mem<br />
- /dev/sd* file system devices<br />
- kernel modules</p>
<p>If you can communicate or attack one of these as a privileged
process, you can own the system.<br />
<a
href="https://opensource.com/business/14/7/docker-security-selinux">src</a></p>
<h2 id="another-information-sources">Another Information Sources</h2>
<ul>
<li><a
href="https://github.com/draios/sysdig-container-ecosystem">sysdig-container-ecosystem</a><br />
The ecosystem of awesome new technologies emerging around containers and
microservices can be a little overwhelming, to say the least. We thought
we might be able to help: welcome to the Container Ecosystem
Project.</li>
<li><a href="http://doger.io/">doger.io</a><br />
This page is an attempt to document the ins and outs of containers on
Linux. This is not just restricted to programmers looking to implement
containers or use container like features in their own code but also
Sysadmins and Users who want to get more of a handle on how containers
work under the hood.</li>
</ul>
<p><a
href="https://github.com/Friz-zy/awesome-linux-containers">linuxcontainers.md
Github</a></p>
Reference in New Issue View Git Blame Copy Permalink