10 Security container isolation

This chapter covers

• All Linux security features used to keep containers isolated from each other
• Read-only access to kernel filesystems needed for processes within a container but which must be blocked from write access
• Masking of kernel filesystems to hide information from the host system
• Linux capabilities limiting the power of root
• The PID, IPC and network namespaces, which hide most of the operating system from processes within containers
• The mount namespace, which along with SELinux limit the container processes’ access to only the designated image and volumes
• The user namespace, which allows you to write root processes inside of a container that are not root outside of a container

In this chapter and chapter ...