Show Table of Contents Hide Table of Contents English English 日本語 Multi-page HTML Single-page HTML PDF ePub Container Security Guide1. Overview2. Building and Securing Containers3. Keeping Containers Fresh and Updateable3.1. Never Put Naked Pulls in FROM Instructions3.2. Using Docker Caching to Your Advantage3.2.1. Order Instructions to Take Advantage of Caching3.2.2. Deliberately Break Caching In Some Situations3.3. Ensuring the Provenance of Containers3.4. Leveraging Kubernetes and OpenShift to Ensure that Containers are Immutable3.4.1. Ways to Leverage Kubernetes and OpenShift3.4.2. Leveraging Kubernetes to Ensure that Containers Do Not Store Secrets or Sensitive Information4. Container Analysis Tools4.1. Atomic Command5. Locked-down, secure Firefox in a container6. Docker SELinux Security Policy6.1. MCS - Multi-Category Security6.2. Leveraging the Docker SELinux Security Model7. Container Security Practices7.1. Dropping Kernel Capabilities7.2. Dropping Root7.3. Exercise care in using the --privileged flag.7.4. suid Content7.5. tmpfile7.6. Do not bind the docker service to a TCP port8. Linux Capabilities and Seccomp8.1. Linux Capabilities8.2. Limiting syscalls with seccompLegal Notice Container Security Guide Red Hat Enterprise Linux Atomic Host 7Container Security Guide Red Hat Atomic Host Documentation Team firstname.lastname@example.org Legal NoticeAbstract Building secure containers, security analysis of containers, containers and SELinux 1. Overview Where did the comment section go?Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.