I will -briefly- explain how #Docker uses the Linux kernel namespaces to provide isolation. To better understand these concepts, we must think of a container as a process whose children (processes within the container) will run within their parents' namespaces. Thread ⬇️

On Linux, the Docker engine uses the following namespaces:

• UTS: System identifiers isolation
• PID: PID space isolation
• IPC: IPC resources isolation
• NET: network interfaces isolation
• USER: User & Group ID spaces
• Mount namespace: filesystem mount points isolation

UTS – Unix Timesharing System namespace

A process running with its own UTS namespace can change the hostname and domain names for it and its children without altering the names of the host system or other processes. In this way...

Every running docker container has its own hostname -which by default is an alphanumeric string- that differs from the host and other containers.

PID – Process ID namespace

The PID namespace helps to separate processes and restrict the visible process IDs. Docker runs every container with its own PID namespace. If we run the command “ps” inside a container, it shows only the processes within it, not in the whole host.

We must have into account that “ps” reads the files located at the /proc directory to show the active processes. Just using its own PID namespace is not enough for a container to have a full isolation from other processes, it still needs to have its own /proc directory.

Docker uses the pivot_root syscall to change the container’s root directory, in combination with the mount namespace, the older root is no longer accessible. The container has its own root where the base-image files are decompressed, it normally includes the /proc directory.

IPC – Inter-Process Communication namespace

Being super brief, IPC is a mechanism that allows processes to communicate each other. On Linux, the communication can be done through shared memory segments, semaphores and message queues.

A process running with its own IPC namespace cannot see the IPC objects in other IPC namespaces.

Shared memory is commonly used by databases and high-performance applications. If these types of applications are broken into multiple containers, it might be necessary to share the IPC mechanisms of the containers, using "shareable" mode with the parameter --ipc.

NET – Network namespace

Network namespaces restrict the view and access of processes to network interfaces. Unless the container is executed with the parameters to be connected to the host’s networks, it will have its own view of interfaces and routing tables.

Mount namespace

Docker uses the mount namespaces to isolate the host filesystem mounts from the container’s mounts. If we run the command “findmnt” in the host and in the container, the output will differ ⬇️ The --mount & -v flags can be used to mount files within containers.

USER – User namespace

It is possible to make use of the USER namespace in Docker, but it is not enabled by default. From a security viewpoint it is very interesting, I will talk more about this soon.

Each namespace we have talked about can be shared with the host if indicated. Parameters: --uts, --pid, --ipc and --net can be used when executing a container, receiving a value of "host", which means that the namespace in question will be effectively shared with the host.

Obviously from the defense perspective we must avoid breaking this isolation as much as possible.

If you want to learn more about Docker security, we will give trainings (online format) at:

- Black Hat (english): blackhat.com/us-20/training…

- Eko (spanish): ekoparty.org/eko16/training…