Awesome Linux Containers

#StandWithBelarus Stand With Ukraine

Awesome

Table of Contents

About the Author

Hello, everyone! My name is Filipp, and I have been working with high load distribution systems and services, security, monitoring, continuous deployment and release management (DevOps domain) since 2012.

One of my passions is developing DevOps solutions and contributing to the open-source community. By sharing my knowledge and experiences, I strive to save time for both myself and others while fostering a culture of collaboration and learning.

I had to leave my home country, Belarus, due to my participation in protests against the oppressive regime of dictator Lukashenko, who maintains a close affiliation with Putin. Since then, I'm trying to build my life from zero in other countries.

If you are seeking a skilled DevOps lead or architect to enhance your project, I invite you to connect with me on LinkedIn or explore my valuable contributions on GitHub. Let's collaborate and create some cool solutions together :)

Foundations

Specifications

Clouds

Operating Systems

Hypervisors

Containers

Sandboxes

Partial Access

Filesystem

Dashboard

Best practices

Security

Tools

Levels of security problems

  1. regular application
  1. system services like cron, ssh
  1. system services like devices, network, filesystems
  1. kernel drivers, network stack, security policies
  1. general like immutable infrastructure

src
src

Technologies for security

Things are better. For example, most modern container technologies can make use of Linux's built-in security tools such as:
AppArmor, SELinux and Seccomp policies;
Grsecurity;
Control groups (cgroups);
Kernel namespaces
src

Sure, you're deploying seccomp, but you can't use selinux inside your container, because the policy isn't per-namespace (?? lxc uses apparmore for each container...)
sVirt - selinux for kvm
src

Major kernel subsystems are not namespaced like:

Devices are not namespaced:

If you can communicate or attack one of these as a privileged process, you can own the system.
src

Another Information Sources