This month I had the opportunity to present at my local Defcon 44131 chapter about containers and Linux namespaces.
The goal of the talk was for me to investigate into the underlying technology that makes containers work, specifically Linux namespaces and cgroups. I had watched a few talks on this topic before but I wanted to get a deeper understanding myself, and share that with others.
Due to time constraints I focused on the core concepts and shared the main ideas through slides.
Slides
Key takeaways from the talk
The closing section of the talk boils down to a few points:
- Containers provide isolation, not magic security. Know the difference.
- Namespaces and cgroups are powerful, but everything still shares the same kernel.
- Chroot is a useful tool, not a security feature.
- Defence in depth matters; combine multiple layers and controls.
- Trust levels matter; do not run untrusted code in a standard container and assume you are safe.
- Use VM based containers or stronger sandboxes when you need higher assurance boundaries.
References and further reading
Heee are some useful links to dive deeper:
- Docker Security Best Practices
- Linux Namespaces Man Page
- Understanding Container Security
- Kata Containers - VM-based container runtime
- gVisor - Application kernel for containers