Module Review: Security Optimization

[!NOTE] This module explores the core principles of Module Review: Security Optimization, deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.

1. Key Takeaways

  • Rootless Mode: Use User Namespaces to map container root to an unprivileged host user. This neutralizes container escapes.
  • Kernel Hardening: Use Seccomp to filter syscalls (reduce kernel attack surface) and AppArmor to restrict file/network access.
  • Supply Chain: Always scan images for CVEs using Trivy or Docker Scout. Generate SBOMs.
  • Minimalism: Use Distroless or Alpine images. Removing the shell prevents attackers from running commands even if they get in.
  • DoS Prevention: Always set Memory and CPU limits. Understand that the OOM Killer destroys containers that exceed RAM limits.

2. Interactive Flashcards

Test your knowledge of container security.

What is the primary benefit of User Namespaces?

(Click to flip)

Privilege Reduction

They map the container's root user (UID 0) to a non-privileged user (e.g., UID 100000) on the host. If an attacker escapes, they have no power on the host.

Which kernel feature limits Memory and CPU usage?

Cgroups (Control Groups)

Cgroups track and limit the resource usage of a group of processes, preventing DoS attacks.

What does Seccomp filter?

System Calls

Seccomp acts as a firewall for the kernel, blocking dangerous syscalls like reboot or keyctl from being called by the container.

Why are Distroless images more secure?

Smaller Attack Surface

They lack a shell (/bin/sh) and package manager. Even if an attacker executes code (RCE), they cannot run shell commands or install malware.

What is an OOM Kill?

Out of Memory Kill

When a container exceeds its hard memory limit, the kernel abruptly kills the process to reclaim RAM.

3. Security Cheat Sheet

Command Description
trivy image <img_name> Scan image for CVEs.
docker run --cpus="0.5" --memory="512m" Set hard resource limits.
docker run --security-opt seccomp=profile.json Apply custom syscall filter.
docker run --read-only Mount root filesystem as Read-Only.
docker run --cap-drop ALL Drop all Linux Capabilities.
sysctl net.ipv4.ip_unprivileged_port_start=0 Allow rootless port binding < 1024.

4. Next Steps

Now that your containers are secure, letโ€™s look at what happens inside them.

Module 08: Docker Internals & Architecture