docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/content/security/faqs/containers.md

52 lines
2.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
description: Find the answers to container security related FAQs
keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, platform, Docker Scout, admin, security
title: Container security FAQs
tags: [FAQ]
aliases:
- /faq/security/containers/
---
### How are containers isolated from the host in Docker Desktop?
Docker Desktop runs all containers inside a customized / minimal Linux virtual
machine (except for native Windows containers). This adds a strong layer of
isolation between containers and the host the machine, even if containers are
running rootful.
However note the following:
* Containers have access to host files configured for file sharing via Settings
-> Resources -> File Sharing (see the next FAQ question below for more info).
* By default, containers run as root but with limited capabilities inside the
Docker Desktop VM. Containers running with elevated privileges (e.g.,
`--privileged`, `--pid=host`, `--cap-add`, etc.) run as root with elevated
privileges inside the Docker Desktop VM which gives them access to Docker
Desktop VM internals, including the Docker Engine. Thus, users must be careful
which containers they run with such privileges to avoid security breaches by
malicious container images.
* If [Enhanced Container Isolation (ECI)](../../desktop/hardened-desktop/enhanced-container-isolation/_index.md)
mode is enabled, then each container runs within a dedicated Linux User
Namespace inside the Docker Desktop VM, which means the container has no
privileges within the Docker Desktop VM. Even when using the `--privileged`
flag or similar, the container processes will only be privileged within the
container's logical boundary, but unprivileged otherwise. In addition, ECI protects
uses other advanced techniques to ensure they can't easily breach
the Docker Desktop VM and Docker Engine within (see the ECI section for more
info). No changes to the containers or user workflows are required as the
extra protection is added under the covers.
### To which portions of the host filesystem do containers have read and write access?
Containers can only access host files if these are shared via Settings -> Resources -> File Sharing,
and only when such files are bind-mounted into the container (e.g., `docker run -v /path/to/host/file:/mnt ...`).
### Can containers running as root gain access to admin-owned files or directories on the host?
No; host file sharing (bind mount from the host filesystem) uses a user-space crafted
file server (running in `com.docker.backend` as the user running Docker
Desktop), so containers cant gain any access that the user on the host doesnt
already have.
Reference in New Issue View Git Blame Copy Permalink