Merge pull request wsargent#91 from Skamander/Skamander-security-1.11

Added new security features from docker 1.11
Aqsaxvv092 · Apr 19, 2016 · 4b262bc · 4b262bc
2 parents d849d0f + 813452c
commit 4b262bc
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -390,6 +390,18 @@ Check out the [docker bench security script](https://github.com/docker/docker-be
 
 You should start off by using a kernel with unstable patches for grsecurity / pax compiled in, such as [Alpine Linux](https://en.wikipedia.org/wiki/Alpine_Linux).  If you are using grsecurity in production, you should spring for [commercial support](https://grsecurity.net/business_support.php) for the [stable patches](https://grsecurity.net/announce.php), same as you would do for RedHat.  It's $200 a month, which is nothing to your devops budget.
 
+Since docker 1.11 you can easily limit the number of active processes running inside a container to prevent fork bombs. This requires a linux kernel >= 4.3 with CGROUP_PIDS=y to be in the kernel configuration.
+
+```
+docker run --pids-limit=64
+```
+
+Also available since docker 1.11 is the ability to prevent processes to gain new privileges. This feature is in the linux kernel since version 3.5. You can read more about it in [this](http://www.projectatomic.io/blog/2016/03/no-new-privs-docker/) blog post.
+
+```
+docker run --security-opt=no-new-privileges
+```
+
 From the [Docker Security Cheat Sheet](http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf) (it's in PDF which makes it hard to use, so copying below) by [Container Solutions](http://container-solutions.com/is-docker-safe-for-production/):
 
 Turn off interprocess communication with: