Online Courses
Container Security
Online Courses
Container Security
  • Introduction
  • Intro to Containerisation
    • What is Containerization
    • Introducing Docker
    • The History of Docker
    • The Benefits & Features of Docker
    • How does Containerisation Work?
  • Docker
    • Introduction
    • Basic Docker Syntax
    • Running Your First Container
    • Intro to Dockerfiles
    • Intro to Docker Compose
    • Intro to the Docker Socket
  • Intro to Kubernetes
    • Introduction
    • Kubernetes 101
    • Kubernetes Architecture
    • Kubernetes Landscape
    • Kubernetes Configuration
    • Kubectl
    • Kubernetes & DevSecOps
  • Container Vulnerabilities
    • Container Vulnerabilities 101
    • Vulnerability 1: Privileged Containers (Capabilities)
    • Vulnerability 2: Escaping via Exposed Docker Daemon
    • Vulnerability 3: Remote Code Execution via Exposed Docker Daemon
    • Vulnerability 4: Abusing Namespaces
  • Container Hardening
    • Protecting the Docker Daemon
    • Implementing Control Groups
    • Preventing "Over-Privileged" Containers
    • Seccomp & AppArmor 101
    • Reviewing Docker Images
    • Compliance & Benchmarking
Powered by GitBook
On this page
  1. Intro to Containerisation

How does Containerisation Work?

PreviousThe Benefits & Features of DockerNextIntroduction

Last updated 8 months ago

Namespaces essentially segregate system resources such as processes, files and memory away from other namespaces.

Every process running on Linux will be assigned two things:

  • A namespace

  • A process identifier (PID)

Namespaces are how containerisation is achieved! Processes can only "see" other processes that are in the same namespace - no conflicts in theory. Take Docker, for example, every new container will be running as a new namespace, although the container may be running multiple applications (and in turn, processes).

Let's prove the concept of containerisation by comparing the number of processes there are in a Docker container that is running a web server versus the host operating system at the time:

Put simply, the process with an ID of 0 is the process that is started when the system boots. Process numbers increment and must be started by another process, so naturally, the next process ID will be #1. This process is the systems init , for example, the latest versions of Ubuntu use systemd. Any other process that runs will be controlled by systemd (process #1).

We can use process #1's namespace on an operating system to escalate our privileges. Whilst containers are designed to use these namespaces to isolate from each other, they can instead coincide with the host computer's processes... This gives us a nice opportunity to escape!