How to Secure Docker Containers with Namespaces and Cgroups
This guide explains Docker's Namespace and Cgroup mechanisms, shows how to configure them to limit resources and isolate containers, and demonstrates practical commands for protecting container security while highlighting their limitations.
Docker isolates containers using Linux namespaces for environment separation and cgroups for resource limitation, but many deployments neglect these features, creating security risks.
1. Namespace Overview
Namespaces present a view of a subset of system resources, isolating processes, network stacks, and file system instances. Common namespace types include IPC, network, mount, PID, user, and UTS, each identified by flags such as CLONE_NEWNET or CLONE_NEWPID. Docker run supports namespace-related options like --ipc, --pid, --userns, and --uts.
Identify Docker Daemon User
By default the Docker daemon runs as root. Use ps aux | grep docker to verify. Running containers inherit the daemon's root context, which can expose host files if volumes are shared.
Example: Deleting Host Files from a Container
sudo cp /bin/touch /bin/touch.bak && ls -lha /bin/touch.bakMount the host /bin into a container and remove the backup:
docker run -it -v /bin/:/host/ alpine rm -f /host/touch.bakThe file is removed, demonstrating the risk of root‑owned containers.
Mitigation: Run as Non‑Root User
docker run --user=1000:1000 --rm alpine idRunning as an unprivileged user prevents deletion of host binaries, as shown by the permission‑denied error.
Enable User Namespace Remapping
Configure the daemon with userns-remap in /etc/docker/daemon.json and restart Docker:
curl https://gist.githubusercontent.com/BenHall/.../daemon.json -o /etc/docker/daemon.json && sudo service docker restartVerify with docker info | grep "Root Dir". After enabling, Docker stores data under a mapped user directory, isolating root privileges.
2. CGroup Overview
Cgroups allocate resources (CPU, memory, I/O) to groups of processes. Types include resource limitation, prioritization, accounting, and control.
Common CGroup Options
--cpu-shares: Relative CPU weight --cpuset-cpus: Specific CPUs to use --memory, --memory-reservation: Memory limits --blkio-weight: Block I/O weighting
Example: Memory Limit
docker run -d --name mb100 --memory 100m alpine topCheck usage with docker stats --no-stream.
Example: CPU Shares
docker run -d --name c768 --cpuset-cpus 0 --cpu-shares 768 benhall/stress</code>
docker run -d --name c256 --cpuset-cpus 0 --cpu-shares 256 benhall/stress
sleep 5
docker stats --no-streamThe container with higher shares receives a larger portion of CPU time when both are active.
3. Practical Tips and Caveats
Never share the host's root filesystem with a privileged container unless necessary.
Use user namespace remapping to avoid running containers as host root.
Limit resources with cgroups to prevent denial‑of‑service attacks.
Network namespaces isolate container IP addresses; using --net=host removes this isolation.
PID namespaces control visibility of host processes; sharing PID namespace can aid debugging but reduces isolation.
By combining namespaces and cgroups, Docker containers gain stronger isolation and security, though they are not a complete solution on their own.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
dbaplus Community
Enterprise-level professional community for Database, BigData, and AIOps. Daily original articles, weekly online tech talks, monthly offline salons, and quarterly XCOPS&DAMS conferences—delivered by industry experts.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.