Advanced container security
01Namespaces from first principlesBuild a container by hand with unshare — no Docker.16 min02cgroups & resource containmentWhat resource isolation promises — and what it does not.14 min03Linux capabilities: the pieces of rootThe handful that actually decide an escape.14 min04What "root in a container" really isUID 0, and why it reaches the host kernel.12 min
01Multi-stage builds, in depthLeave every compiler and package manager behind.14 min02Distroless & scratchNo shell, no package manager, nothing to pivot with.14 min03Static binaries & tiny basesGo, Rust, and C services at a few megabytes.14 min04Slimming & layer hygieneMeasure the image, then cut every wasted byte.12 min05Trusting a minimal image: pin, SBOM, scanProvenance for images with no package database.12 min
01Drop root: non-root by defaultUSER, numeric UIDs, and file ownership.12 min02Read-only root filesystemImmutable at runtime, with explicit writable paths.12 min03cap-drop ALL & no-new-privilegesLeast privilege, actually enforced.12 min04seccomp: filter syscallsRuntimeDefault and a curated custom profile.14 min05AppArmor & SELinuxMandatory access control on files and capabilities.14 min
01Container network hardeningDefault-deny egress, no inter-container comms, block metadata.15 min02Runtime secrets, done rightGet secrets into a read-only container without env leaks.14 min03Host namespace sharing as attack surface--pid, --ipc, --net, --uts=host and what they expose.12 min04Container forensics & incident responseWhen a container is popped: contain, capture, investigate.14 min
01The escape mindsetFrom one popped container to the whole host.12 min02The big three: privileged, docker.sock, hostPathThe flags and mounts that hand over the host.16 min03Capability & kernel escapesSYS_ADMIN, /proc, and CVE-driven breakouts.14 min04Sandboxes & runtime detectiongVisor, Kata, and catching what still gets through.12 min
Final exam
Test yourself on everything
62 questions drawn from all 6 sections — every answer explained as you pick.