In this recipe, we will learn Docker configurations that may result in slightly improved security for your containers. Docker uses some advanced features in the latest Linux kernel, which include kernel namespaces to provide process isolation, control groups to control resource allocation, and kernel capabilities and user namespaces to run unprivileged containers. As stated on the Docker documentation page, Docker containers are, by default, quite secure.
This recipe covers some basic steps to improve Docker security and reduce the attack surface on the Ubuntu host as well as the Docker daemon.
The first and most common thing is to use the latest versions of your software. Make sure that you are using the latest Ubuntu version with all security updates applied and that your Docker version is the latest stable version:
$ sudo apt-get update $ sudo apt-get upgrade
On Ubuntu systems, Docker ships with the AppArmor profile. This profile is installed and enforced with a Docker installation. Make sure you have AppArmor installed and working properly. AppArmor will provide better security against unknown vulnerabilities:
$ sudo apparmor_status
docker daemon --help
command:$ docker daemon --help
/etc/default/docker
, or start the Docker daemon with all required settings from the command line.DOCKER_OPTS
section:$ sudo nano /etc/default/docker
--icc=false
--default-ulimitnproc=512:1024 --default-ulimitnofile=50:100
---storage-driver=overlay
$ sudo service docker restart
$ git clone https://github.com/docker/docker-bench-security.git
$ cd docker-bench-security $ sh docker-bench-security.sh
Try to fix the issues reported by this script.
The most important part of a Docker container is its image. Make sure that you download or pull the images from a trusted repository. You can get most of the images from the official Docker repository, Docker Hub.
When building your own images, make sure you don't add the root user:
RUN group add -r user && user add -r -g user user USER user
$ docker run --cpu-shares1024 --memory 512 --cpuset-cpus 1
$ docker run --read-only
$ docker run -v /shared/path:/container/path:ro ubuntu
$ docker run -p 127.0.0.1:3306:3306 mysql