|
|
|
|
|
|
by yid
3590 days ago
|
|
|
You guys are doing a great job! Some security-related sandboxing options to docker run that people may not be aware of, which are hard to assemble individually from Linux pieces: * --read-only
* --security-opt="no-new-privileges"
* --cap-drop=ALL
* --net="none"
* --cpu-period=
* --cpu-quota=
|
|
|
There is also --pids-limit=<some number> against fork bombs.
EDIT - this git repo has more links to security related articles etc. https://github.com/wsargent/docker-cheat-sheet#security