Resources on Red Hat Container Security

Updated -

Red Hat has the unique ability to provide consistent security across all aspects of container build, run, and deployment environments. The foundation of Red Hat’s container security model is Red Hat Enterprise Linux. The documentation, articles, webinars and videos described here expand on Red Hat’s container security story.

Documentation on Container Security

  • The OpenShift Container Security guide provides a high-level walk-through of the container security measures available in OpenShift Container Platform, from the host layer to the container and orchestration layer to the user build and application layer.

  • Managing Security Context Constraints covers how administrators can control permissions for container pods running in OpenShift. The OpenShift Container Platform Architecture also describes Security Context Constraints.

  • Configuring Custom Certificates describes how to add your own certificates. These certificates are used for authentication associated with the web console and API calls.

  • OpenShift and SELinux illustrates how SELinux policies make OpenShift more secure.

  • Running Super Privileged Containers describes how to use the atomic command to run containers specially configured to access the following items:

    • Files
    • Network interfaces
    • Inter-process communications
    • Other privileges from the host system
  • Signing Container Images describes how Red Hat is using GPG technology to sign, verify and set trust policies for validating and accepting container images.

  • In Linux Capabilities and Seccomp, you can learn how to open access to Linux capabilities and kernel system calls from images to the host system from the docker run command line.

Articles on Container Security

  • In Are Docker containers really secure?, Red Hat security expert Dan Walsh describes the advantages of basing your containers on Red Hat Enterprise Linux (RHEL) and using RHEL as your container platform. RHEL makes the container environment more secure by providing these features:

    • A trusted repository from which you can download software

    • Security updates to fix vulnerabilities

    • A security response team to find and manage vulnerabilities

    • A team of engineers to manage and maintain packages and work on security enhancements

    • Common Criteria Certification to check the security of the operating system

  • The article Bringing new security features to Docker describes how RHEL uses these specific Linux features to secure containers:

    • Read-only filesystems within containers: Allow containers to access needed features from the host’s kernel without being able to change the kernel.

    • Copy-on-write filesystems: Allow multiple containers to share the same base image without the containers being able to see each other's changes.

    • Linux Capabilities: Let you run containers with full access to the host system (privileged) or limited access (unprivileged). Capabilities can then selectively add or remove privileges, including those that let you change file ownership, kill processes, and more.

    • Namespaces: Provide features to separate a containerized application from the host operating system. Namespaces include process table, mount table, network interfaces, IPC, and others.

    • SELinux: Incorporates a Mandatory Access Control system to prevent containers from compromising the host system or other containers.

  • Docker security in the future provides real-world use cases for working with user namespaces and system call permissions (seccomp) for containers.

  • As described in Creating Custom Seccomp Setting for Docker Daemon, by using a custom seccomp.json file that is picked up by the docker daemon, you can change the access that images running on that system have to the host system.

  • In OpenShift, you can modify Seccomp and other setting by applying Security Context Constraints to Service Accounts.

  • How to determine the host capabilities you need in a container is described in What capabilities do I really need in my containers?.

  • Practical SELinux and Containers shows examples of how to use SELinux and various security options on docker run command lines.

  • Tightening Up SELinux Policy for Containers describes how SELinux policies for containers limit access to host files on RHEL systems.

  • In SELinux Mitigates Container Vulnerability, Dan Walsh presents specific ways in which SELinux protects host file systems and networks from attacks by malicious containers.

  • What does --selinux-enabled do? explains how the --selinux-enabled option to the docker daemon causes the daemon to set SELinux labels on containers to restrict access to and from those containers.

  • In Secure Your Containers with this One Weird Trick, you learn to use Linux Capabilities to independently enable and disable privileges for a container.

  • OpenShift Security Information describes security policies in place for different OpenShift platforms.

  • Container Tidbits: The Tenancy Scale compares the security of processes running containerized to those running uncontainerized.

  • The atomic scan command lets you scan container images for security vulnerabilities. Introducing atomic scan describes how this command works. Creating a custom atomic scan plug-in explains how to create a plug-in for atomic scan.

Videos on Container Security

Webinars on Container Security

How to enhance your container security, hosted by Red Hat's Timothy Hunt, helps you learn about the following topics:

  • What the container security model is

  • How to build a secure container infrastructure

  • How to create and deploy secure container images

  • How technologies and processes maintain the security of containerized applications