The article breaks down Docker’s essential kernel features—Namespaces for isolation, Cgroups for resource limits, UnionFS for layered copy‑on‑write filesystems, and Capabilities for fine‑grained privilege control—illustrating each with clear explanations and a practical command example.
This article shares practical experience and step‑by‑step guidance on constructing minimal, secure Go service Docker images using multi‑stage builds, scratch and distroless bases, and how to handle real‑world concerns like certificates and time zones.
Within a 60‑90 minute window on Dec 22, hackers breached Kuaishou’s systems, exploiting nighttime staffing fatigue, high‑privilege token leaks, AI moderation tricks, direct video uploads, massive account overload, and microservice architecture flaws, highlighting critical security gaps for large platforms.
This guide walks you through a ten‑step zero‑trust framework for hardening container security—from supply‑chain image signing and SBOM generation to runtime threat detection, network policies, secret encryption, and continuous monitoring—targeted at production Kubernetes clusters of any scale.
This comprehensive guide walks you through securing container workloads by defining applicable scenarios, setting up prerequisites, installing Trivy and Falco, hardening Dockerfiles, integrating CI/CD scanning and signing, configuring Kubernetes security contexts, network policies, pod security admission, runtime protection, Harbor registry hardening, regular scanning, monitoring, troubleshooting, and best‑practice recommendations.
This guide walks you through the most critical Linux security flaws—from privilege‑escalation and misconfigured sudo to SSH, web server, kernel, and container risks—offering concrete hardening steps, logging practices, firewall rules, incident‑response procedures, and compliance tips to build a resilient production environment.
This guide walks through configuring MTU, building root‑filesystem images and custom kernels, deploying Kata Containers on Kubernetes, and applying virtioFS rate‑limiting to achieve VM‑level isolation with near‑container performance for high‑security workloads.
This 2025 Linux security threat report breaks down the ten most critical risks—ranging from supply‑chain poisoning to AI‑driven APT attacks—offering real‑world case studies and actionable, step‑by‑step mitigation strategies for Linux operations teams.
Learn how to protect Docker containers throughout their lifecycle—starting with secure base image selection and vulnerability scanning, through Dockerfile hardening, runtime configurations, network isolation, storage encryption, and continuous monitoring—using practical examples, scripts, and tools like Trivy, Docker Content Trust, Falco, and custom Seccomp profiles.
This guide walks through installing Docker and Trivy on Ubuntu, explains Trivy's scanning capabilities and underlying principles, and demonstrates practical commands to detect and report vulnerabilities in container images such as Redis, BusyBox, and Nginx.
Explore comprehensive Docker container security from an attacker’s perspective to expert defenses, featuring real-world escape incidents, threat matrices, five detailed penetration testing scenarios, enterprise-grade protection frameworks, monitoring scripts, and actionable best practices for securing images, runtimes, networks, and access controls.
This article explains why Docker images bloat, then demonstrates using multi‑stage builds, Alpine base images, and Trivy vulnerability scanning—plus CI/CD integration—to produce lightweight, secure containers and streamline DevSecOps workflows.
This guide walks operations engineers through a comprehensive, layered security model for production Kubernetes clusters, covering cluster hardening, network policies, RBAC, pod security standards, image scanning and signing, runtime monitoring, key management, compliance checks, and recommended tooling.
This article examines the evolution of container security into comprehensive cloud‑native protection, explaining CNAPP concepts, technical roadmaps, industry challenges, and best‑practice recommendations for integrating security across the entire application lifecycle, while highlighting market trends and future directions.
This article walks through Docker privilege escalation techniques on Linux, covering Docker basics, permission discovery, manual and automated enumeration with LinPEAS, and three practical breakout scenarios—including abusing Docker group rights, escaping privileged containers, and breaking out of non‑privileged containers using SUID binaries and release_agent attacks.
Learn why smaller Docker images boost build speed and deployment efficiency, then master Docker’s multi‑stage build technique—including basic concepts, a Go example, layer reduction, cache optimization, minimal base images, non‑root users, and build arguments—to produce lightweight, secure, and maintainable containers.
This guide explains how to set up Docker on Ubuntu 18.04, install and configure the Trivy vulnerability scanner, and use it to analyze container images such as Redis, BusyBox, and Nginx, covering database updates, output formats, and practical command examples.
The Kubernetes Community Day held in Jakarta on November 30, 2024 featured Alibaba Cloud experts presenting best‑practice sessions on scaling generative AI workloads, eRDMA network acceleration, container image security, and OpenTelemetry‑based observability within the ACK Kubernetes platform.
The article explains how Cloud Security Center protects Serverless container workloads through vulnerability scanning, intrusion detection, baseline checks, and isolation, outlines the integration architecture and workflow, examines key challenges such as multi‑tenant isolation, resource consumption and blast‑radius control, and presents test results and future security roadmap.
This guide explains how to enhance container image security by installing Cosign, generating key pairs, signing images, and configuring Harbor to trust the signatures, including step‑by‑step commands and parameter details for seamless integration of Cosign into Harbor's registry.
This guide explains how to secure container images by integrating the Trivy vulnerability scanner into the Harbor registry, covering Helm configuration, offline database setup, automated updates via cron, verification steps, and useful references for a robust cloud‑native security workflow.
This article explains how Linux user namespaces isolate UID/GID for processes, shows how to map subordinate users via /etc/subuid and /etc/subgid, configures Docker's userns‑remap feature, verifies isolation with Docker daemon settings, and discusses known limitations.
This tutorial walks through Docker privilege‑escalation techniques, showing how to enumerate Docker permissions, exploit docker group membership, use GTFOBins and LinPEAS, and break out of both privileged and non‑privileged containers to obtain a root shell on the host.
This article explains why enterprises need a private Docker registry, introduces the open‑source Harbor project, outlines its architecture and hardware/software requirements, and provides detailed installation, configuration, and usage instructions—including Docker, Docker‑Compose, and Harbor setup commands—to get a secure, CNCF‑certified container image repository up and running.
This article explains why running business containers without root privileges is essential for security, outlines the necessary background and risks, and provides detailed step‑by‑step methods, Dockerfile snippets, entrypoint scripts, and real‑world examples for MySQL, Redis, CoreDNS, Consul, and cAdvisor to achieve safe non‑root container deployments.
This article reviews the most popular Docker security tools, explains their key features, and shows how they help organizations automatically scan images, detect vulnerabilities, enforce policies, and improve container runtime protection across development and production environments.
This article explores Docker's practical usage, the problems it addresses for developers and operations, its future development, Docker Hub services, technical limitations, and detailed security considerations for both the Docker environment and container deployments, including Hyper-V host setup.
This article details Huolala's end‑to‑end container security strategy—from Kubernetes component basics and a real unauthorized‑access incident to lifecycle‑based safeguards, threat‑matrix guidance, image/ecosystem/baseline/runtime protections, and a custom HIDS architecture—offering practical insights for cloud‑native environments.
The article investigates a cloud‑vendor Kubernetes isolation feature that inserts iptables DROP rules into a pod’s network namespace, demonstrating how it fully blocks traffic, triggers liveness‑probe restarts, and impacts services depending on replica count and probe configuration, while preserving state only without probes.
This article explains the fundamentals of Kubernetes user namespaces, their support evolution from v1.25 to v1.28, security benefits, runtime requirements, a high‑severity CVE demonstration, and upcoming integration with Pod Security Standards, providing practical guidance for cloud‑native deployments.
This article explains how containers work, outlines the challenges of detecting and fixing vulnerabilities throughout the software lifecycle, and presents practical strategies—including CI/CD pipeline, registry, runtime, and host scanning—plus key principles for building a robust container security program.
This article details Huolala's comprehensive container‑security program, covering Kubernetes component basics, a real‑world unauthorized‑access incident, a lifecycle‑based security framework, the Microsoft threat matrix, and the design of a home‑grown HIDS architecture to protect cloud‑native workloads.
This article explains why container security is critical, outlines common threats such as image vulnerabilities, runtime escapes, network isolation, compliance, and orphaned containers, and shows how DevSecOps practices and automation tools can protect the entire container lifecycle.
eBPF, a safe, high‑performance Linux kernel extension evolving from the 1993 Berkeley Packet Filter to modern dynamic tracing, underpins Didi’s HuaTuo platform, which consolidates bytecode management, fast data processing, stability self‑healing, and container insight to solve traffic replay, topology, security, and root‑cause analysis challenges across cloud‑native services, with plans to broaden business use and community collaboration.
This guide explains how Kubernetes signs container images, how to verify those signatures manually or with sigstore policy‑controller, and how CRI‑O in v1.28 can enforce signature policies natively, including configuration, command‑line usage, and handling of error cases.
The article explains how to enable Kubernetes audit logging and use its detailed fields—such as userAgent, responseStatus, requestURI, and object references—to detect CDK‑generated attacks and other threats like CVE‑2022‑3172, privilege escalation, and backdoor deployment, offering practical detection examples and security recommendations.
Kubernetes v1.27, the first 2023 release, introduces 60 enhancements—including 9 graduating to stable—updates image repositories, upgrades SeccompDefault, Job mutable scheduling, DownwardAPIHugePages, and many beta features, while deprecating several older APIs and command‑line flags, with detailed upgrade guidance and availability links.
Sysdig’s 2023 Cloud‑Native Security and Usage Report uncovers that most container images carry critical vulnerabilities, a majority of granted permissions go unused, many containers lack proper CPU limits, and significant cloud‑cost waste persists, prompting urgent recommendations for identity‑access management, vulnerability prioritisation, and zero‑trust adoption.
Sysdig’s analysis of over 250,000 public Linux images on Docker Hub revealed 1,652 images containing hidden malware, including mining tools, embedded credentials, proxy‑avoidance scripts, and malicious websites, highlighting the urgent need for robust image‑scanning and credential‑management practices.
Container security demands vigilant mitigation of risks such as image poisoning, unsafe images, compliance violations, high‑risk vulnerabilities, and container escape by preferring official images, scanning for malware and secrets, enforcing CIS benchmarks, applying cgroup and namespace isolation, and deploying runtime detection agents on each Kubernetes node for rapid response.
This article explains the design of Virtio-fs, its architecture and high‑availability features, and details the crash‑recovery mechanism—including crash models, state preservation, supervisor coordination, request idempotence, downtime optimization, and hot upgrade/migration—implemented by ByteDance's STE team for secure container workloads.
This article explains the security challenges of containerized applications, compares popular image‑scanning tools, and demonstrates how to integrate the Trivy scanner into CI/CD pipelines to achieve shift‑left security and reduce production‑stage vulnerabilities.
This article explains Docker image fundamentals and presents four practical techniques—removing package caches, ordering layers by change frequency, separating build and runtime stages, and inspecting layers with dive—to dramatically shrink image size, speed up builds, and improve security.
A recent Hacker News discussion revealed that Docker’s iptables rule allows containers bound to 127.0.0.1 to be reachable from other hosts, and a step‑by‑step proof‑of‑concept demonstrates the issue while a revised iptables rule is proposed to enforce proper source‑address restrictions.
This tutorial demonstrates how to set up automated Docker image vulnerability scanning with Trivy, embed the scan into GitLab CI/CD pipelines, handle severity thresholds, schedule recurring scans, and remediate findings by adjusting the Dockerfile, providing a practical DevOps security workflow.
The article explains how attackers can break out of Docker containers by exploiting misconfigurations, vulnerable Docker components, kernel bugs, or Kubernetes RBAC errors, illustrates real‑world exploits such as host‑proc mounts and CVE‑2019‑5736, and provides mitigation steps like limiting privileges, updating software, and securing configurations.
This article explains Docker's role in modern development, distinguishes images from containers, and provides concrete security measures—including least‑privilege users, minimal base images, multi‑stage builds, and AppArmor profiles—to harden Docker deployments against attacks.
In this recap of the sixth CNBPA Technical Practice Salon, senior product manager Wen Lei and architect Ren Yazhou answer audience questions on ensuring container security, Kubernetes design considerations, risk assessment methods, and the choice between open‑source and commercial cloud‑native security solutions, emphasizing a security‑left approach throughout the DevOps lifecycle.
This article explains what Trivy is, how to install and use it for container vulnerability scanning, demonstrates saving results in JSON, and provides a step‑by‑step guide to integrating Trivy into a GitLab CI/CD pipeline with example configuration and troubleshooting tips.
The Sysdig 2022 Cloud‑Native Security and Usage Report shows that a majority of production containers and images contain high‑severity vulnerabilities, many cloud accounts expose S3 buckets, and mis‑configured resource limits lead to significant cost overruns, highlighting urgent security and operational challenges for enterprises adopting cloud‑native technologies.
This article analyzes NeuVector’s open‑source container security platform, compares it with other cloud‑native security tools, explains its unified architecture and features, and provides step‑by‑step Helm installation instructions for Kubernetes clusters.
This article examines how banks can adopt cloud‑native container technologies while addressing security challenges through a four‑layer architecture covering infrastructure, platform, container, and full‑lifecycle risk mitigation, offering practical recommendations for robust, compliant cloud operations.
A detailed experiment scans several Docker base images, showing how default Python images contain hundreds of vulnerabilities, while slimmer or Alpine‑based images dramatically reduce the attack surface, highlighting the security trade‑offs of image bloat and the importance of careful base‑image selection.
This article examines why default Docker base images often contain hundreds of vulnerabilities, compares scans of Python, Alpine, and distroless images, and offers practical strategies for reducing container size and attack surface while maintaining functionality.
The 2021 Sysdig report analyzes millions of containers to uncover short lifespans, shifting runtime choices, rising use of Prometheus, prevalent security misconfigurations, image‑scanning practices, and emerging threats, offering actionable insights for organizations managing cloud‑native workloads.
Running Docker containers as root or with the --privileged flag can expose the host to unnecessary risks; this article explains the differences, demonstrates root usage in common images, and provides practical methods—such as specifying non‑root users in Dockerfiles or using security contexts—to securely run containers.
This article explains the differences between running Docker containers as the root user and using the --privileged flag, demonstrates how both affect container security, and provides practical methods to avoid root privileges in Docker and Kubernetes environments.
This article outlines comprehensive container security best practices across kernel, container image, runtime, pod, network, node, and cluster components, emphasizing how to harden each layer in Kubernetes environments to protect against attacks and maintain robust, scalable deployments.
This article examines the growing security concerns of container images, presents alarming vulnerability statistics, explains why image scanning should be placed before image push in the CI/CD pipeline, and outlines practical best‑practice recommendations such as using lightweight base images, non‑root users, secret management, minimal packages, Dockerfile linting, and avoiding unmaintained images.
Hackers exploit GitHub Actions by submitting malicious pull requests that add hidden workflows, downloading and executing crypto‑mining binaries on GitHub’s free servers, a technique that has spread to other CI platforms and poses a persistent security challenge.
This article explains the origins and evolution of BPF into eBPF, compares it with classic kernel modules, describes eBPF tracing mechanisms, and shows how eBPF can be leveraged to secure container runtimes against escape and other cloud‑native threats.
This guide presents a comprehensive checklist of production‑grade Kubernetes best practices, covering container image selection, registry management, namespace isolation, labeling, security controls, CI/CD, monitoring, service mesh adoption, and advanced features to keep clusters stable, secure, and efficient.
This guide explains essential Docker security practices—including running containers as non‑root users, employing private registries, minimizing image size, using multi‑stage builds, and enabling Docker Content Trust—to reduce attack vectors and protect containerized applications.
This guide explains why Docker containers improve security, then details three fundamental steps—running images as non‑root users, using a private registry, and keeping images minimal—plus practical commands, multi‑stage builds, and Docker Content Trust to protect your containerized applications from attacks.
This article explains why Docker images often become oversized and presents several practical techniques—manual Dockerfile edits, multi‑stage builds, Google’s distroless images, Alpine Linux bases, and GNU Guix packaging—to dramatically reduce image size while balancing debugging convenience and security.
The Ngrok‑based Doki malware silently scans for Docker API endpoints with weak configurations, hijacks containers to run crypto miners, uses the Dogecoin blockchain for dynamic C2 domains, and evades detection, highlighting the critical need to secure Docker APIs.
This article explains the concept of secure containers, their definition based on the OCI specification, and how projects like Kata Containers and gVisor implement isolation layers to provide VM‑level security with container‑level performance in cloud‑native environments.
Meituan's security team explains cloud‑native architecture, outlines container‑escape threats from kernel bugs, vulnerable runtimes and misconfigurations, and recommends mitigation through hardened kernels, secure‑container runtimes like gVisor or Kata, rigorous patch management, and collaborative feature development to strengthen runtime protection.
This guide walks you through Harbor's purpose, core features, architecture components, step‑by‑step installation, testing procedures, and high‑availability setup with Nginx, providing a comprehensive tutorial for building a secure, enterprise‑grade Docker image registry.
This article explains the concept of secure containers, traces their naming history, defines their role in cloud‑native environments, and details the architectures of Kata Containers and gVisor as modern solutions that add isolation layers to improve container security and performance.
This article explains how cloud‑native technologies—including containers, Kubernetes, serverless platforms, service‑mesh architectures, standardized application management, and edge computing—are reshaping digital transformation by delivering extreme elasticity, security isolation, and seamless cloud‑to‑edge integration.
This article reviews the development of secure container technologies, including the history of container isolation, the design of MicroVM‑based solutions like Kata Containers, Alibaba Cloud's security sandbox architecture, performance benchmarks, and future challenges for secure cloud‑native runtimes.
At the Cloud Conference, experts Wang Xu and Liu Jiang discuss the evolution of container security, compare traditional containers, MicroVMs, and process virtualization, detail Alibaba Cloud’s secure sandbox and Kata Containers implementation, share performance metrics, and outline future challenges for secure, high‑performance container runtimes.
This guide explains Docker's Namespace and Cgroup mechanisms, shows how to configure them to limit resources and isolate containers, and demonstrates practical commands for protecting container security while highlighting their limitations.
This article summarizes OPPO's comprehensive Docker security strategy, covering the container ecosystem, key vulnerabilities, image and runtime protection, Kubernetes hardening, deep image scanning, host hardening, logging, traffic analysis, and future challenges in large‑scale container deployments.
A critical CVE‑2019‑5736 vulnerability in the runc container runtime lets a malicious container overwrite the host’s runc binary, granting attackers root‑level code execution that can compromise other containers, the host system, and the network, with a CVSS 3.0 score of 7.2, affecting runc, Apache Mesos and LXC, and requiring prompt updates.
JD Security’s Silicon Valley AI security scientist unveiled a novel container‑based sandbox at BlackHat Europe, detailing how contextual behavior analysis can detect and trace malicious code by leveraging lightweight containers, improving threat detection speed and accuracy for enterprise defenses.
This guide explains how to deploy Sysdig Falco on Docker, configure its rules, and demonstrate detection of four common container security threats—including interactive shells, unauthorized processes, writes to non‑user directories, and sensitive mounts—using real‑world examples and log analysis.
This article explains Docker's built‑in security mechanisms—including Linux kernel capabilities, image signing, AppArmor MAC, Seccomp syscall filtering, user namespaces, SELinux, PID limits and additional kernel hardening tools—provides configuration examples, command‑line demonstrations, and guidance on using them safely.
At DockerCon 2016, Aaron Grattafiori outlined a comprehensive security framework for container‑based microservices, emphasizing user namespaces, custom AppArmor/SELinux policies, sec‑comp whitelists, hardened host OS, limited host access, network security, immutable containers, and secret management to achieve high‑assurance deployments.
This article explains how Docker containers improve security through isolation, Linux namespaces, cgroups, capabilities, and image management, while also covering integration with virtual machines, bare‑metal deployment, lifecycle management, and open‑source security practices for modern microservice architectures.
This article examines the security risk of exposing MySQL root passwords as plaintext environment variables in Docker containers and presents a practical volume‑replacement method, comparing it with password‑modification approaches while discussing Docker‑layer versus application‑layer considerations.
