I’d rather not start in on a whole ‘nother “Docker is insecure” rant. It is, we know it, we can stipulate to the fact. We’re certainly doing our part to help, but a recent presentation by Frank Chen and Brennan Saeta from Coursera has some good insights.
The technique basically came down to a defensive measure. Not perfect, but usable.
- CPU quotas, memory limits swap limits for Docker/CGroups
- Hard timeouts for container execution
- btrfs limits, including file system quotas and IPOS throttling
- Open file limits per container
- nproc process limits
- Kernel memory limited per Cgroup
- Execution time limits
For network attacks, they deny access from the offender, supplemented by security monitoring and pen-testing.
How they did it is not that difficult, and it’s worth a read, here.