Docker Container Security tips and tricks

Docker security is an ever-evolving area to be updated about since this part of the technology keeps changing at fast pace. We will cover few basic topics you should be aware of from technical standpoint.

Even though there are alot of articles around this topic and most famous front-runners in this space are companies like Snyk and Sysdig.

Snyk’s recommendations for top 10 Docker Security Best Practices publicly available, for sysdig you have to fill out the form and download the whitepaper.

Docker containers are, by default, quite secure; especially if you run your processes as non-privileged users inside the container.

You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or another appropriate hardening system.

1. Update Docker and Host regularly — this one is a no brainer, make sure the updates are not limited to the platform itself, running containers do not update them automagically, you should also update containers and images they are based on.
2. Configure Resource Quotas — this one is also no brainer if you have experience with other virtualization platforms like VMWare or Hyper-V, do the math, make sure you don’t oversubscribe the amount of resources a container can use.
3. Use Non-Root users- stick to using non-root users, its a new Docker default setting. To modify the default configuration you would have to add the--privileged flag to the docker run command. However, this is a significant safety hazard and should not be utilized.
4. Limit Capabilities — The safest way to configure container capabilities is to remove all (using the --cap-drop=ALL option) and then add the required ones.
5. Prohibit New Priveleges- To disable container processes from gaining new privileges, use the --security-opt flag with the value no-new-privileges:true. Adding the flag to the docker run command overwrites any rules you set using the --cap-add and --cap-drop options..
6. Use only Trusted Images
7. Keep Images and Containers light
8. Secure registries
9. Don’t expose the Docker Daemon Socket
10. Monitor APIs and Network Security