Book Image

Docker Cookbook - Second Edition

By : Ken Cochrane, Jeeva S. Chelladhurai, Neependra K Khare
2 (1)
Book Image

Docker Cookbook - Second Edition

2 (1)
By: Ken Cochrane, Jeeva S. Chelladhurai, Neependra K Khare

Overview of this book

Docker is an open source tool used for creating, deploying, and running applications using containers. With more than 100 self-contained tutorials, this book examines common pain points and best practices for developers building distributed applications with Docker. Each recipe in this book addresses a specific problem and offers a proven, best practice solution with insights into how it works, so that you can modify the code and configuration files to suit your needs. The Docker Cookbook begins by guiding you in setting up Docker in different environments and explains how to work with its containers and images. You’ll understand Docker orchestration, networking, security, and hosting platforms for effective collaboration and efficient deployment. The book also covers tips and tricks and new Docker features that support a range of other cloud offerings. By the end of this book, you’ll be able to package and deploy end-to-end distributed applications with Docker and be well-versed with best practice solutions for common development problems.
Table of Contents (13 chapters)

Removing capabilities to break down the power of a root user inside a container

In simple terms, with capabilities we can break down the power of a root user. Note the following from the main capabilities page:

For the purpose of performing permission checks, traditional UNIX implementations distinguish two categories of processes: privileged processes (whose effective user ID is 0, referred to as superuser or root), and unprivileged processes (whose effective UID is non-zero). Privileged processes bypass all kernel permission checks, while unprivileged processes are subject to full permission checking based on the process's credentials (usually: effective UID, effective GID, and supplementary group list).

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superusers into distinct units, known as capabilities, which can be independently...