Containers share the host OS kernel. What risk does this create if a container is compromised?
Think about what sharing the OS kernel means for isolation.
Because containers share the host OS kernel, if one container is compromised, an attacker might escape the container and access the host or other containers. This is why container security is critical.
What output will the following command produce when scanning an image with known vulnerabilities?
docker scan alpine:3.12
docker scan alpine:3.12
Docker scan uses vulnerability databases to check images.
The 'docker scan' command checks images for known vulnerabilities and reports severity and fixes if any are found.
Which Docker run option helps improve container security by limiting privileges?
Think about restricting write access inside the container.
The '--read-only' flag makes the container's filesystem read-only, reducing risk by preventing writes and limiting damage if compromised.
A container runs with '--privileged' flag and an attacker escapes to the host. What is the main cause?
Consider what '--privileged' does to container permissions.
The '--privileged' flag gives the container extended permissions, increasing risk of container escape and host compromise.
Which practice best reduces vulnerabilities in container images?
Think about minimizing attack surface and keeping software current.
Using minimal base images reduces unnecessary software that can have vulnerabilities. Regular updates patch known security issues.