- TechOps Examples
- Posts
- Securing Containers with Seccomp
Securing Containers with Seccomp
TechOps Examples
Hey — It's Govardhana MK 👋
Along with a use case deep dive, we identify the remote job opportunities, top news, tools, and articles in the TechOps industry.
👋 Before we begin... a big thank you to today's sponsor WRITER
Writer RAG tool: build production-ready RAG apps in minutes
RAG in just a few lines of code? We’ve launched a predefined RAG tool on our developer platform, making it easy to bring your data into a Knowledge Graph and interact with it with AI. With a single API call, writer LLMs will intelligently call the RAG tool to chat with your data.
Integrated into Writer’s full-stack platform, it eliminates the need for complex vendor RAG setups, making it quick to build scalable, highly accurate AI workflows just by passing a graph ID of your data as a parameter to your RAG tool.
IN TODAY'S EDITION
🧠 Use Case
Securing Containers with Seccomp
🚀 Top News
👀 Remote Jobs
Modus Create is hiring a DevSecOps Engineer
Remote Location: Worldwide
WealthWizards is hiring a Senior Platform Engineer
Remote Location: Worldwide
📚️ Resources
🛠️ TOOL OF THE DAY
networking-costs-calculator - Sample of a networking costs calculator, helping to estimate the networking costs such as Data Transfer, Transit Gateway Attachments, NAT Gateways etc.
🧠 USE CASE
Securing Containers with Seccomp
As container adoption grows, securing workloads becomes increasingly critical.
One effective way to minimize the attack surface of your containerized applications is through Seccomp (Secure Computing Mode).
It filters system calls (syscalls) to prevent unauthorized access to critical kernel features.
Docker integrates Seccomp to enforce syscall filtering, applying a default profile that denies potentially dangerous calls while allowing necessary ones for most applications.
This mechanism acts as a safety net against privilege escalation attacks or container escapes.
In simple terms,
With Seccomp: Only essential syscalls are allowed, reducing the attack surface.
Without Seccomp: All syscalls are accessible, increasing the risk of security breaches.
Using Seccomp with Docker:
Running a Container with Seccomp
Apply Docker's profile for syscall filtering:
docker run --rm --security-opt seccomp=default.json alpine ash
Custom Seccomp Profiles
You can tailor a Seccomp profile (custom-seccomp.json
) to your application needs:
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"names": ["read", "write", "exit", "sigreturn"],
"action": "SCMP_ACT_ALLOW"
}
]
}
This Seccomp profile denies all system calls by default (SCMP_ACT_ERRNO
) but explicitly allows the syscalls read
, write
, exit
, and sigreturn
to enable basic program functionality.
Run the container with your custom profile:
docker run --rm --security-opt seccomp=custom-seccomp.json alpine ash
Seccomp works best when combined with other security practices like container capabilities management.
Some Suggestions:
1. Limit Container Capabilities
Use Docker’s --cap-drop
flag to remove unnecessary Linux capabilities from your containers.
docker run --rm --cap-drop=ALL --cap-add=NET_ADMIN alpine ash
2. Use Read-Only Root Filesystem
Mount the container’s filesystem as read-only to prevent unauthorized writes. Combine this with Seccomp to further reduce risks.
docker run --rm --read-only alpine ash
3. Leverage User Namespaces
Map the container’s root user to a non-privileged host user to isolate processes. Enable user namespaces with Docker’s --user
flag or configure it in the daemon.
docker run --rm --user 1001:1001 alpine ash
4. Network Isolation
Combine Seccomp with Docker’s --network
flag to restrict network access for containers that don’t require it.
docker run --rm --network=none alpine ash
5. Audit and Monitor Syscalls
Use tools like oci-seccomp-bpf-hook or sysdig to analyze syscall usage in containers and optimize your Seccomp profiles based on the recorded behavior.
By layering Seccomp with these practices, you create a defense-in-depth strategy, significantly improving container security and reducing the risk of exploitation.
Hiring a DevOps Engineer and calling them a Kubernetes admin is how you turn a highly skilled engineer into a highly skilled job seeker.
K8s admin isn't just a subset of DevOps as many assume, almost every team needs a dedicated K8s admin.
— Govardhana Miriyala Kannaiah (@govardhana_mk)
11:34 AM • Dec 3, 2024
You may even like: