I’d rather not start in on a whole ‘nother “Docker is insecure” rant. It is, we know it, we can stipulate to the fact. We’re certainly doing our part to help, but a recent presentation by Frank Chen and Brennan Saeta from Coursera has some good insights.

The technique basically came down to a defensive measure. Not perfect, but usable.

  • CPU quotas, memory limits swap limits for Docker/CGroups
  • Hard timeouts for container execution
  • btrfs limits, including file system quotas and IPOS throttling
  • Open file limits per container
  • nproc process limits
  • Kernel memory limited per Cgroup
  • Execution time limits

For network attacks, they deny access from the offender, supplemented by security monitoring and pen-testing.

How they did it is not that difficult, and it’s worth a read, here.

Alex Eckelberry