![\"Kernel](\"http:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2016\/12\/docker-ketnel-requirements.png\")
<\/a>Let us now examine each of these dependencies in brief.\n<\/p>\n
3. Resource constraining dependencies<\/h2>\n3.1 Control groups a.k.a cgroups<\/strong><\/h3>\nControl groups<\/a>, or cgroups<\/a>, is a kernel feature to constrain the resource usage of a process or a set of processes. This provides Docker with 4 main features:<\/p>\n\n- Limit resources (CPI, memory, network, disk I\/O, …) to user-defined processes.<\/li>\n
- Prioritize resources to processes (a set of processes will get more resources than another set).<\/li>\n
- Measure resource usage for billing purposes.<\/li>\n
- Control a group of processes.<\/li>\n<\/ul>\n
The docker run<\/code> command is used to manipulate resources allocated to a container. For instance, docker run --cpu-shares=<value><\/code> sets the cpu share allocated to a container (every container gets 1024 shares by default). docker run --cpuset-cpus=<value><\/code> sets the CPU core on which the container would be run. Do look at this insightful article<\/a> for some examples of manipulating cgroups settings for Docker containers.<\/p>\n3.2 Namespaces<\/h3>\n
Namespaces<\/a> is a kernel feature that provides lightweight process virtualization to containers. This helps Docker to isolate these resources for a container – process IDs, hostnames, user IDs, network access, IPC and filesystems. Docker combines namespaces and cgroups to isolate resources for containers and place resource usage constraints. These namespaces are used to isolate containers – Process ID (pid), Network (net), Mount (mnt), Hostname (uts), Shared Memory (ipc).<\/p>\n\n- A pid namespace provides processes running within containers with separate pids isolated from other containers.\/li><\/li>\n
- A net namespace creates separate network interfaces, IP adrresses and such for each container.<\/li>\n
- A mnt namespace creates isolated mounts for each container. Mount points from host OS may be carried into the container but any any additions to the container mounts are not propagated back to the host.<\/li>\n
- An uts namespace creates containers with their own hostnames without affecting other containers or the rest of the system.<\/li>\n
- An ipc namespace creates isolated shared memory space for each container and prevents access between shared memory of different computers.<\/li>\n<\/ul>\n
4. Security dependencies<\/h2>\n4.1 AppArmor<\/h3>\n
AppArmor<\/a> is a Mandatory Access Control (MAC)<\/a> tool to restrict programs to a limited set of resources. Restriction policies are set in a simple text file to administer storage, networking, capabilities of a program. A policy can run in enforcement<\/em> or complain<\/em> mode. A policy running in enforcement mode<\/em> will enforce the policy and report violations. A policy running in complain mode<\/em> will not enforce restrictions but only report violations. <\/div> <\/div><\/p>\nDocker installs a default AppArmor profile – \/etc\/apparmor.d\/docker<\/code> – during installation. This profile is applied to all Docker containers. To apply a specific AppArmor profile to a container use the option docker run -it <container-name> --security-opt=apparmor=<profile-name><\/code><\/code>.<\/p>\nRead this page<\/a> for more details about Docker’s usage of AppArmor.<\/p>\n4.2 Security Enhanced Linux a.k.a SELinux<\/h3>\n
SELinux<\/a>, like AppArmor, enforces MAC policies on other subsystems of the Linux kernel. When compared to AppArmor, SELinux follows a more elaborate multi-level security policy control. This is currently developed and maintained by RedHat<\/a>.<\/p>\n4.3 Posix capabilities a.k.a Capabilities<\/h3>\n
Capabilites as implemented in Linux (known as “Posix Capabilities<\/a>“) partitions the root user’s privileges into distinct smaller units called “capabilities”. These capabilities are enabled\/disabled as a unit and assigned to individual threads. This allows a thread\/process to perform some privileged operation with a minimal set of capabilities but without assuming superuser permissions. See man capabilities<\/code><\/a> in any Linux system for more details on capabilities. Docker uses capabilities to restrict the actual capabilities of the container while providing all possible features to the service within it. A root user within a Docker container may not have all privileges as a root user in the actual host OS.<\/p>\nRead this post<\/a> for more explanation on Docker’s support of capabilities.<\/p>\n4.4 Secure Computing Mode a.k.a seccomp<\/h3>\n
Secure Computing Mode<\/a>, also called seccomp<\/a>, provides a facility to place filters on the system calls available to a user-defined process. This is combined with other tools to provide a secure computing sandbox<\/a> to filter a thread from all available system calls. When seccomp is applied to a thread, the thread can perform only 4 system calls – read(), write(), sigreturn() and exit(). The kernel will kill the process if it uses any other system call.[ulp id=’6PVIvOz3kDbYmNRn’]<\/p>\nA seccomp profile is set to a Docker container with the security-opt<\/code> option of docker run<\/code> like so:<\/p>\n$ docker run -it <container-name> --security-opt <value><\/pre>\nRead this<\/a> doc for more information about Docker’s use of seccomp.<\/p>\n5. Networking dependencies<\/h2>\n5.1 Netfilter<\/h3>\n
Netfilter<\/a> is a framework provided by the Linux Kernel that allows network packets flowing through the machine to be manipulated. Features include stateless and stateful packet filtering of IPv4 and IPv6 packets, Network address translation, port address translation, extensible APIs for 3rd party app developers. Docker uses Netfilter through it’s userspace counterpart IPTables.<\/p>\n5.2 IPTables<\/h3>\n
iptables<\/a> is the user-space utility counterpart for netfilter. It interacts with netfilter and allows a system administrator to define tables of firewalling rules for packet filtering, network address translation (NAT), and so on. The Docker daemon automatically appends rules firewalling rules to iptables if it sees it installed in the system. For example when we expose a container’s port to the outside world Docker adds a corresponding rule to iptables. To disable iptables, start Docker daemon with the option iptables<\/code> set to false<\/code> like so:<\/p>\n$ dockerd --iptables=false<\/pre>\nSee this blog post<\/a> for a few examples of how Docker uses iptables.<\/p>\n5.3 Netlink<\/h3>\n
Netlink<\/a> as a tool provides a mechanism for communication between kernel and userspace components using a socket interface. Even userspace components can use this to communicate among one another. This is an alternative to ioctl<\/a> and reduces dependence on direct system calls, ioctl calls, and such. Docker implements it’s netlink libraries to talk to the kernel’s netlink interface to create and configure network devices.<\/p>\nThis excellent post<\/a> has more details about how Docker uses Netlink.<\/p>\n6. File system dependencies<\/h2>\n
Docker supports several storage drivers with a plug-in architecture. One can choose a storage driver to run the Docker daemon with. However, Docker Engine can support only one active storage driver at a time. A change in the storage drive will need the Docker daemon to restart.<\/p>\n
6.1 Device mapper<\/h3>\n
The devicemapper framework<\/a> is provided by the kernel to map physical block devices as virtual devices devices. It provides the foundation for features such as logical volume management, device encryption, copy-on-write files, etc.,. Docker uses this framework to support copy-on-write files in containers.<\/p>\n7. Other non-kernel dependencies<\/h2>\n7.1 LibContainer a.k.a RunC<\/h3>\n
libcontainer<\/a> (Now called opencontainers\/RunC<\/a>) – This is not exactly a kernel feature. Docker developed this as an execution engine that exposes a consistent standardized Go API to work with Linux namespaces, cgroups, capabilities, AppArmor, security profiles, network interfaces, firewalls and firewalling rules. RunC has replaced LXC as the default execution driver of the Docker Engine.<\/p>\n7.2 LXC<\/h3>\n
Like libcontainer, LXC<\/a> provides a userspace interface for the Linux Kernel’s container supporting features. LXC was the initial execution engine before Docker moved to RunC.<\/p>\n8. Summary<\/h2>\n
In this post we were introduced to the key kernel features on which Docker depends and builds to enable containerization. Each of the Kernel features in itself can be pursued further and understood more deeply to improve container security<\/a> in Docker. The Docker docs<\/a> also contain more information about kernel level enablers.<\/p>\n","protected":false},"excerpt":{"rendered":"1. Introduction Docker is a containerization technology that provides OS level virtualization to applications. It isolates processes, storage, networking, and also provide security to services running within it’s containers. To enable this, Docker depends on various features of the Linux Kernel. Let us get introduced to these Docker kernel requirements in this post. 2. Docker …<\/p>\n","protected":false},"author":103,"featured_media":31013,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1354],"tags":[],"class_list":["post-42377","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"yoast_head":"\n
Docker Kernel Requirements - Java Code Geeks<\/title>\n<meta name=\"description\" content=\"This post introduces the key features of the Linux Kernel that Docker builds on to enable containerization.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Docker Kernel Requirements - Java Code Geeks\" \/>\n<meta property=\"og:description\" content=\"This post introduces the key features of the Linux Kernel that Docker builds on to enable containerization.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\" \/>\n<meta property=\"og:site_name\" content=\"Examples Java Code Geeks\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/javacodegeeks\" \/>\n<meta property=\"article:published_time\" content=\"2016-12-08T13:00:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-03-29T12:12:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"150\" \/>\n\t<meta property=\"og:image:height\" content=\"150\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Hariharan Narayanan\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:site\" content=\"@javacodegeeks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Hariharan Narayanan\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\"},\"author\":{\"name\":\"Hariharan Narayanan\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/#\/schema\/person\/780d96edfe3bce18c5440613fa88bce3\"},\"headline\":\"Docker Kernel Requirements\",\"datePublished\":\"2016-12-08T13:00:23+00:00\",\"dateModified\":\"2019-03-29T12:12:33+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\"},\"wordCount\":1361,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg\",\"articleSection\":[\"Docker\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\",\"url\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\",\"name\":\"Docker Kernel Requirements - Java Code Geeks\",\"isPartOf\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg\",\"datePublished\":\"2016-12-08T13:00:23+00:00\",\"dateModified\":\"2019-03-29T12:12:33+00:00\",\"description\":\"This post introduces the key features of the Linux Kernel that Docker builds on to enable containerization.\",\"breadcrumb\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage\",\"url\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg\",\"contentUrl\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg\",\"width\":150,\"height\":150},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/examples.javacodegeeks.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"DevOps\",\"item\":\"https:\/\/examples.javacodegeeks.com\/category\/devops\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Docker\",\"item\":\"https:\/\/examples.javacodegeeks.com\/category\/devops\/docker\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Docker Kernel Requirements\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/#website\",\"url\":\"https:\/\/examples.javacodegeeks.com\/\",\"name\":\"Java Code Geeks\",\"description\":\"Java Examples and Code Snippets\",\"publisher\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/#organization\"},\"alternateName\":\"JCG\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/examples.javacodegeeks.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/#organization\",\"name\":\"Exelixis Media P.C.\",\"url\":\"https:\/\/examples.javacodegeeks.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png\",\"contentUrl\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png\",\"width\":864,\"height\":246,\"caption\":\"Exelixis Media P.C.\"},\"image\":{\"@id\":\"https:\/\/examples.javacodegeeks.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/javacodegeeks\",\"https:\/\/x.com\/javacodegeeks\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/#\/schema\/person\/780d96edfe3bce18c5440613fa88bce3\",\"name\":\"Hariharan Narayanan\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/examples.javacodegeeks.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2016\/10\/Hariharan-Narayanan-96x96.jpg\",\"contentUrl\":\"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2016\/10\/Hariharan-Narayanan-96x96.jpg\",\"caption\":\"Hariharan Narayanan\"},\"description\":\"Hari graduated from the School of Computer and Information Sciences in the University of Hyderabad. Over his career he has been involved in many complex projects in mobile applications, enterprise applications, distributed applications, micro-services, and other platforms and frameworks. He works as a consultant and is mainly involved with projects based on Java, C++ and Big Data technologies.\",\"sameAs\":[\"https:\/\/www.javacodegeeks.com\"],\"url\":\"https:\/\/examples.javacodegeeks.com\/author\/hariharan-narayanan\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Docker Kernel Requirements - Java Code Geeks","description":"This post introduces the key features of the Linux Kernel that Docker builds on to enable containerization.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/","og_locale":"en_US","og_type":"article","og_title":"Docker Kernel Requirements - Java Code Geeks","og_description":"This post introduces the key features of the Linux Kernel that Docker builds on to enable containerization.","og_url":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/","og_site_name":"Examples Java Code Geeks","article_publisher":"https:\/\/www.facebook.com\/javacodegeeks","article_published_time":"2016-12-08T13:00:23+00:00","article_modified_time":"2019-03-29T12:12:33+00:00","og_image":[{"width":150,"height":150,"url":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg","type":"image\/jpeg"}],"author":"Hariharan Narayanan","twitter_card":"summary_large_image","twitter_creator":"@javacodegeeks","twitter_site":"@javacodegeeks","twitter_misc":{"Written by":"Hariharan Narayanan","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#article","isPartOf":{"@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/"},"author":{"name":"Hariharan Narayanan","@id":"https:\/\/examples.javacodegeeks.com\/#\/schema\/person\/780d96edfe3bce18c5440613fa88bce3"},"headline":"Docker Kernel Requirements","datePublished":"2016-12-08T13:00:23+00:00","dateModified":"2019-03-29T12:12:33+00:00","mainEntityOfPage":{"@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/"},"wordCount":1361,"commentCount":0,"publisher":{"@id":"https:\/\/examples.javacodegeeks.com\/#organization"},"image":{"@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage"},"thumbnailUrl":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg","articleSection":["Docker"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/","url":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/","name":"Docker Kernel Requirements - Java Code Geeks","isPartOf":{"@id":"https:\/\/examples.javacodegeeks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage"},"image":{"@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage"},"thumbnailUrl":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg","datePublished":"2016-12-08T13:00:23+00:00","dateModified":"2019-03-29T12:12:33+00:00","description":"This post introduces the key features of the Linux Kernel that Docker builds on to enable containerization.","breadcrumb":{"@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#primaryimage","url":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg","contentUrl":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2015\/12\/docker-logo.jpg","width":150,"height":150},{"@type":"BreadcrumbList","@id":"https:\/\/examples.javacodegeeks.com\/devops\/docker\/docker-kernel-requirements\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/examples.javacodegeeks.com\/"},{"@type":"ListItem","position":2,"name":"DevOps","item":"https:\/\/examples.javacodegeeks.com\/category\/devops\/"},{"@type":"ListItem","position":3,"name":"Docker","item":"https:\/\/examples.javacodegeeks.com\/category\/devops\/docker\/"},{"@type":"ListItem","position":4,"name":"Docker Kernel Requirements"}]},{"@type":"WebSite","@id":"https:\/\/examples.javacodegeeks.com\/#website","url":"https:\/\/examples.javacodegeeks.com\/","name":"Java Code Geeks","description":"Java Examples and Code Snippets","publisher":{"@id":"https:\/\/examples.javacodegeeks.com\/#organization"},"alternateName":"JCG","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/examples.javacodegeeks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/examples.javacodegeeks.com\/#organization","name":"Exelixis Media P.C.","url":"https:\/\/examples.javacodegeeks.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/examples.javacodegeeks.com\/#\/schema\/logo\/image\/","url":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","contentUrl":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2022\/06\/exelixis-logo.png","width":864,"height":246,"caption":"Exelixis Media P.C."},"image":{"@id":"https:\/\/examples.javacodegeeks.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/javacodegeeks","https:\/\/x.com\/javacodegeeks"]},{"@type":"Person","@id":"https:\/\/examples.javacodegeeks.com\/#\/schema\/person\/780d96edfe3bce18c5440613fa88bce3","name":"Hariharan Narayanan","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/examples.javacodegeeks.com\/#\/schema\/person\/image\/","url":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2016\/10\/Hariharan-Narayanan-96x96.jpg","contentUrl":"https:\/\/examples.javacodegeeks.com\/wp-content\/uploads\/2016\/10\/Hariharan-Narayanan-96x96.jpg","caption":"Hariharan Narayanan"},"description":"Hari graduated from the School of Computer and Information Sciences in the University of Hyderabad. Over his career he has been involved in many complex projects in mobile applications, enterprise applications, distributed applications, micro-services, and other platforms and frameworks. He works as a consultant and is mainly involved with projects based on Java, C++ and Big Data technologies.","sameAs":["https:\/\/www.javacodegeeks.com"],"url":"https:\/\/examples.javacodegeeks.com\/author\/hariharan-narayanan\/"}]}},"_links":{"self":[{"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/42377","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/users\/103"}],"replies":[{"embeddable":true,"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/comments?post=42377"}],"version-history":[{"count":0,"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/posts\/42377\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/media\/31013"}],"wp:attachment":[{"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/media?parent=42377"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/categories?post=42377"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/examples.javacodegeeks.com\/wp-json\/wp\/v2\/tags?post=42377"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Control groups<\/a>, or cgroups<\/a>, is a kernel feature to constrain the resource usage of a process or a set of processes. This provides Docker with 4 main features:<\/p>\n The Namespaces<\/a> is a kernel feature that provides lightweight process virtualization to containers. This helps Docker to isolate these resources for a container – process IDs, hostnames, user IDs, network access, IPC and filesystems. Docker combines namespaces and cgroups to isolate resources for containers and place resource usage constraints. These namespaces are used to isolate containers – Process ID (pid), Network (net), Mount (mnt), Hostname (uts), Shared Memory (ipc).<\/p>\n AppArmor<\/a> is a Mandatory Access Control (MAC)<\/a> tool to restrict programs to a limited set of resources. Restriction policies are set in a simple text file to administer storage, networking, capabilities of a program. A policy can run in enforcement<\/em> or complain<\/em> mode. A policy running in enforcement mode<\/em> will enforce the policy and report violations. A policy running in complain mode<\/em> will not enforce restrictions but only report violations. Docker installs a default AppArmor profile – Read this page<\/a> for more details about Docker’s usage of AppArmor.<\/p>\n SELinux<\/a>, like AppArmor, enforces MAC policies on other subsystems of the Linux kernel. When compared to AppArmor, SELinux follows a more elaborate multi-level security policy control. This is currently developed and maintained by RedHat<\/a>.<\/p>\n Capabilites as implemented in Linux (known as “Posix Capabilities<\/a>“) partitions the root user’s privileges into distinct smaller units called “capabilities”. These capabilities are enabled\/disabled as a unit and assigned to individual threads. This allows a thread\/process to perform some privileged operation with a minimal set of capabilities but without assuming superuser permissions. See Read this post<\/a> for more explanation on Docker’s support of capabilities.<\/p>\n Secure Computing Mode<\/a>, also called seccomp<\/a>, provides a facility to place filters on the system calls available to a user-defined process. This is combined with other tools to provide a secure computing sandbox<\/a> to filter a thread from all available system calls. When seccomp is applied to a thread, the thread can perform only 4 system calls – read(), write(), sigreturn() and exit(). The kernel will kill the process if it uses any other system call.[ulp id=’6PVIvOz3kDbYmNRn’]<\/p>\n A seccomp profile is set to a Docker container with the Read this<\/a> doc for more information about Docker’s use of seccomp.<\/p>\n Netfilter<\/a> is a framework provided by the Linux Kernel that allows network packets flowing through the machine to be manipulated. Features include stateless and stateful packet filtering of IPv4 and IPv6 packets, Network address translation, port address translation, extensible APIs for 3rd party app developers. Docker uses Netfilter through it’s userspace counterpart IPTables.<\/p>\n iptables<\/a> is the user-space utility counterpart for netfilter. It interacts with netfilter and allows a system administrator to define tables of firewalling rules for packet filtering, network address translation (NAT), and so on. The Docker daemon automatically appends rules firewalling rules to iptables if it sees it installed in the system. For example when we expose a container’s port to the outside world Docker adds a corresponding rule to iptables. To disable iptables, start Docker daemon with the option See this blog post<\/a> for a few examples of how Docker uses iptables.<\/p>\n Netlink<\/a> as a tool provides a mechanism for communication between kernel and userspace components using a socket interface. Even userspace components can use this to communicate among one another. This is an alternative to ioctl<\/a> and reduces dependence on direct system calls, ioctl calls, and such. Docker implements it’s netlink libraries to talk to the kernel’s netlink interface to create and configure network devices.<\/p>\n This excellent post<\/a> has more details about how Docker uses Netlink.<\/p>\n Docker supports several storage drivers with a plug-in architecture. One can choose a storage driver to run the Docker daemon with. However, Docker Engine can support only one active storage driver at a time. A change in the storage drive will need the Docker daemon to restart.<\/p>\n The devicemapper framework<\/a> is provided by the kernel to map physical block devices as virtual devices devices. It provides the foundation for features such as logical volume management, device encryption, copy-on-write files, etc.,. Docker uses this framework to support copy-on-write files in containers.<\/p>\n libcontainer<\/a> (Now called opencontainers\/RunC<\/a>) – This is not exactly a kernel feature. Docker developed this as an execution engine that exposes a consistent standardized Go API to work with Linux namespaces, cgroups, capabilities, AppArmor, security profiles, network interfaces, firewalls and firewalling rules. RunC has replaced LXC as the default execution driver of the Docker Engine.<\/p>\n Like libcontainer, LXC<\/a> provides a userspace interface for the Linux Kernel’s container supporting features. LXC was the initial execution engine before Docker moved to RunC.<\/p>\n In this post we were introduced to the key kernel features on which Docker depends and builds to enable containerization. Each of the Kernel features in itself can be pursued further and understood more deeply to improve container security<\/a> in Docker. The Docker docs<\/a> also contain more information about kernel level enablers.<\/p>\n","protected":false},"excerpt":{"rendered":" 1. Introduction Docker is a containerization technology that provides OS level virtualization to applications. It isolates processes, storage, networking, and also provide security to services running within it’s containers. To enable this, Docker depends on various features of the Linux Kernel. Let us get introduced to these Docker kernel requirements in this post. 2. Docker …<\/p>\n","protected":false},"author":103,"featured_media":31013,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1354],"tags":[],"class_list":["post-42377","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-docker"],"yoast_head":"\n\n
docker run<\/code> command is used to manipulate resources allocated to a container. For instance, docker run --cpu-shares=<value><\/code> sets the cpu share allocated to a container (every container gets 1024 shares by default). docker run --cpuset-cpus=<value><\/code> sets the CPU core on which the container would be run. Do look at this insightful article<\/a> for some examples of manipulating cgroups settings for Docker containers.<\/p>\n3.2 Namespaces<\/h3>\n
\n
4. Security dependencies<\/h2>\n
4.1 AppArmor<\/h3>\n
\/etc\/apparmor.d\/docker<\/code> – during installation. This profile is applied to all Docker containers. To apply a specific AppArmor profile to a container use the option docker run -it <container-name> --security-opt=apparmor=<profile-name><\/code><\/code>.<\/p>\n4.2 Security Enhanced Linux a.k.a SELinux<\/h3>\n
4.3 Posix capabilities a.k.a Capabilities<\/h3>\n
man capabilities<\/code><\/a> in any Linux system for more details on capabilities. Docker uses capabilities to restrict the actual capabilities of the container while providing all possible features to the service within it. A root user within a Docker container may not have all privileges as a root user in the actual host OS.<\/p>\n4.4 Secure Computing Mode a.k.a seccomp<\/h3>\n
security-opt<\/code> option of docker run<\/code> like so:<\/p>\n$ docker run -it <container-name> --security-opt <value><\/pre>\n
5. Networking dependencies<\/h2>\n
5.1 Netfilter<\/h3>\n
5.2 IPTables<\/h3>\n
iptables<\/code> set to false<\/code> like so:<\/p>\n$ dockerd --iptables=false<\/pre>\n
5.3 Netlink<\/h3>\n
6. File system dependencies<\/h2>\n
6.1 Device mapper<\/h3>\n
7. Other non-kernel dependencies<\/h2>\n
7.1 LibContainer a.k.a RunC<\/h3>\n
7.2 LXC<\/h3>\n
8. Summary<\/h2>\n