1. Docker Security Rahul Sharma

2. Our Problem Sandboxing user coding assessments : Compile / Run different languages Allow to extract result Control network access(internet access) Control folder access

3. Linux Namespaces

4.  IPC  Network  Mount  PID  UTS  USER In v1 the user namespace is not enabled by default for support of older kernels where the user namespace feature is not fully implemented.

5. Linux Capabilities Capability Enabled CAP_NET_RAW1 CAP_NET_BIND_SERVICE1 CAP_AUDIT_WRITE1 CAP_DAC_OVERRIDE1 CAP_SETFCAP1 CAP_SETPCAP1 CAP_SETGID1 CAP_SETUID1 CAP_MKNOD1 CAP_CHOWN1 CAP_FOWNER1 CAP_FSETID1 CAP_KILL1 CAP_SYS_CHROOT1 CAP_NET_BROADCAST0 CAP_SYS_MODULE0 CAP_WAKE_ALARM0 CAP_BLOCK_SUSPE0

6. Linux Capabilities Capability Enabled CAP_SYS_RAWIO0 CAP_SYS_PACCT0 CAP_SYS_ADMIN0 CAP_SYS_NICE0 CAP_SYS_RESOURCE0 CAP_SYS_TIME0 CAP_SYS_TTY_CONFIG0 CAP_AUDIT_CONTROL0 CAP_MAC_OVERRIDE0 CAP_MAC_ADMIN0 CAP_NET_ADMIN0 CAP_SYSLOG0 CAP_DAC_READ_SEARCH0 CAP_LINUX_IMMUTABLE0 CAP_IPC_LOCK0 CAP_IPC_OWNER0 CAP_SYS_PTRACE0 CAP_SYS_BOOT0 CAP_LEASE0

7. Additional Security AppArmor SELinux GRSEC

8. The Approach --user --cap-drop NET_RAW --volume /candidate_code:/container_loc --cpuset --memory Add limits to docker.conf limit nproc 20 100 limit nofile 50 100 limit fsize 102400000 204800000

9. + The Approach

10. Thank you !!! Email : rahul0208@gmail.comrahul0208@gmail.com Blog : devlearnings.wordpress.com