Container Security Fundamentals: How Containers Work in Linux and Docker, How They Differ from VMs and What It Means to Security

Webinar Registration

Containers are a lighter, more agile form of virtualization than virtual machines. In this real training for free event, we will spin up some containers in Linux with Docker, show you how they work, and help you understand how they are different from virtual machines. 

More importantly, I’ll introduce you to container security. Security with containers shares much of what you are familiar with in terms of host, application and network security. But don’t do a find/replace on “VM” with “container” and assume its business as usual. Containers do offer isolation, but it’s very different than the isolation you get between VMs, and between the VM and the hypervisor and host OS. 

As you’ve probably read many times, VMs each have the overhead and isolation of virtualized hardware and a complete OS instance, while containers are actual processes running on a host OS. But how does it actually work?

In this real training for free event, we’ll start inside the Linux kernel itself where containers run and then work up to Docker. If you are new to containers, you might think Docker and containers are synonymous, but containers actually pre-date Docker. Docker made containers easy, fast and manageable. Docker is important to this discussion, but containers (and container security) really start inside the Linux kernel with features like:

  • chroot
  • namespaces
  • control groups (aka cgroups)
  • uid and gid mapping

These are the fundamental building blocks of the running container and how Linux keeps containers isolated from each other and from the kernel.

Where does Docker come in? To start, the Docker engine pulls those Linux features together into a Docker container. There are other container implementations in Linux, such as rkt from CoreOS and LXC from Google, et all. LXC is also confusingly known as Linux Containers, so don’t confuse “Linux containers” with “Linux Containers”. In fact, Docker was originally built on top of LXC, but I digress. Docker is the defacto standard for containers and I’ll use Docker in my demonstrations for this webinar. Docker also supports and is supported on Windows, but for this first webinar on containers, we’re going to limit the scope to Linux. 

I will show you how container security issues go far beyond the isolation discussed above. The next area I’ll discuss is Docker images and containers. A Docker image is an immutable file that is basically a snapshot of a container. Or put another way, a Docker image is an instance of a container that’s frozen in state. You can create images from containers and containers from images. I know it sounds confusing but once you see my real-world demonstrations, it starts to make sense. Perhaps this is a better comparison. You are probably familiar with “golden images” of Windows installations used to quickly rollout hundreds or thousands of laptops. Once you put an image down on a laptop, boot the laptop up and give it to the user, it quickly diverges from the “golden image.” Well, in Docker, the Docker image is much like its eponymous object in laptop deployment and a given laptop built from that image is like a container built from its Docker image.

Join me for this fast-paced introduction to containers and container security. Rapid7 is excited to sponsor this real training for free event and they will show you how their vulnerability management technology, InsightVM, provides visibility into vulnerabilities and risks associated with the components and layers of a container and the overall container infrastructure.

 Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources