Docker security

Detaching from the container without stopping Ctrl-P Ctrl-Q

Create docker user

$ sudo useradd dockeradmin

$ sudo passwd dockeradmin

$ sudo usermod -aG docker dockeradmin
  1. Users are not namespaced. Root in container is root on host. Create a user in Dockerfile. Change to the user via USER or su/sudo/gosu
    RUN groupadd -r user && useradd -r -g user user
    USER user
  2. Set container FS to read-only
    $ docker run --read-only debian touch x
    touch: cannot touch 'x': Read-only file system
  3. Set Volumes to read-only/Use Data Volume Containers
    $ docker run -v $(pwd)/secrets:/secrets:ro debian touch /secrets/x
    touch: cannot touch '/secrets/x': Read-only file system
    $ docker run --volumes-from my-secret-container myimage
  4. Drop capabilities
    $ docker run --cap-drop SETUID --cap-drop SETGID myimage
    $ docker run --cap-drop ALL --cap-add ...
    $ docker run -d myimage
    $ docker run -d -c 512 myimage
  6. Set Memory limits
    $ docker run -m 512m myimage
  7. Defang setuid/setgid binaries
// to find them
$ docker run debian \
   find / -perm +6000 -type f -exec ls -ld {} \; 2> dev/null

// to defang them
FROM debian:wheezy
RUN find / -perm +6000 -type f -exec chmod a-x {}; \; || true

Auditing (Immutable infrastructure, Audit images, not containers)


$ docker diff ...
$ scalock
$ twistlock
$ clair


Written on November 16, 2016