kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Merge pull request #13418 from donkirkby/patch-1

Browse source 
small formatting and grammar fixes
This commit is contained in:
Sebastiaan van Stijn 2015-05-25 19:15:47 +02:00
commit 187362414d
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
docs/sources/articles/security.md
View file

@ -17,8 +17,8 @@ There are three major areas to consider when reviewing Docker security:
## Kernel namespaces ## Kernel namespaces
Docker containers are very similar to LXC containers, and they have Docker containers are very similar to LXC containers, and they have
similar security features. When you start a container with `docker similar security features. When you start a container with
run`, behind the scenes Docker creates a set of namespaces and control `docker run`, behind the scenes Docker creates a set of namespaces and control
groups for the container. groups for the container.
**Namespaces provide the first and most straightforward form of **Namespaces provide the first and most straightforward form of
@ -103,7 +103,7 @@ Docker directly on your local machine, outside of a VM). You can then
use traditional UNIX permission checks to limit access to the control use traditional UNIX permission checks to limit access to the control
socket. socket.
You can also expose the REST API over HTTP if you explicitly decide so. You can also expose the REST API over HTTP if you explicitly decide to do so.
However, if you do that, being aware of the above mentioned security However, if you do that, being aware of the above mentioned security
implication, you should ensure that it will be reachable only from a implication, you should ensure that it will be reachable only from a
trusted network or VPN; or protected with e.g., `stunnel` and client SSL trusted network or VPN; or protected with e.g., `stunnel` and client SSL
@ -253,7 +253,7 @@ an artificial capabilities set. Likewise, however, this artificial
capabilities set may require use of 'capsh' to restrict the capabilities set may require use of 'capsh' to restrict the
user-namespace capabilities set when using 'unshare'. user-namespace capabilities set when using 'unshare'.
Eventually, it is expected that Docker will direct, native support Eventually, it is expected that Docker will have direct, native support
for user-namespaces, simplifying the process of hardening containers. for user-namespaces, simplifying the process of hardening containers.
## Conclusions ## Conclusions