Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Foundations

Foundations chapter

Before you scan or harden anything, you need a clear picture of what a container actually is, how an image is produced from a Dockerfile, and how pull, build, run, stop, and remove fit together. This section covers that picture.

What a container is

A container is a group of processes running on one Linux host. The Linux kernel uses two features to create the illusion of isolation. Namespaces control what a process can see: its own process list, network interfaces, and filesystem view. Cgroups (control groups) limit how much CPU and memory it can use. That is the entire mechanism. There is no second kernel, no firmware boundary, and no hardware virtualization involved.

This matters for security because a kernel bug or a misconfigured container can give a process access to the host. A virtual machine with its own guest kernel adds a stronger hardware boundary. Containers trade that strength for speed and density.

What an image is

An image is the template a container starts from. It is a stack of read-only filesystem layers. Each layer adds or removes files on top of the previous one. When you run a container, Docker adds one thin writable layer on top. That writable layer disappears when the container stops unless you explicitly save it.

Images are built from a Dockerfile, which is a plain text file with one instruction per line. Every instruction that changes the filesystem becomes a new layer.

Why Dockerfile review is security work

The Dockerfile decides what goes into the image. A careless Dockerfile can include unnecessary packages that add CVEs, copy in secret files by accident, run everything as root, or use a base image that is months out of date. Static analysis tools read the Dockerfile before a build and flag these patterns. The first lab in this section does exactly that.

Docker Compose basics

Most real applications need more than one container: a web server, a database, maybe a cache. Docker Compose lets you describe all of them in one YAML file and start the whole group with a single command. Understanding Compose at the basics level also prepares you to read similar multi-service definitions on other platforms.