Docker security

Detaching from the container without stopping Ctrl-P Ctrl-Q

Create docker user

$ sudo useradd dockeradmin

$ sudo passwd dockeradmin

$ sudo usermod -aG docker dockeradmin

1. Users are not namespaced. Root in container is root on host. Create a user in Dockerfile. Change to the user via USER or su/sudo/gosu

   RUN groupadd -r user && useradd -r -g user user
   USER user
   

2. Set container FS to read-only

   $ docker run --read-only debian touch x
   touch: cannot touch 'x': Read-only file system
   

3. Set Volumes to read-only/Use Data Volume Containers

   $ docker run -v $(pwd)/secrets:/secrets:ro debian touch /secrets/x
   touch: cannot touch '/secrets/x': Read-only file system
   $ docker run --volumes-from my-secret-container myimage
   

4. Drop capabilities

   $ docker run --cap-drop SETUID --cap-drop SETGID myimage
   $ docker run --cap-drop ALL --cap-add ...
   

5. Set CPUSHARES

   $ docker run -d myimage
   $ docker run -d -c 512 myimage
   

6. Set Memory limits

   $ docker run -m 512m myimage
   

7. Defang setuid/setgid binaries

// to find them
$ docker run debian \
   find / -perm +6000 -type f -exec ls -ld {} \; 2> dev/null

// to defang them
FROM debian:wheezy
RUN find / -perm +6000 -type f -exec chmod a-x {}; \; || true

Auditing (Immutable infrastructure, Audit images, not containers)

tools:

$ docker diff ...
$ scalock
$ twistlock
$ clair

Reference: https://www.youtube.com/watch?v=A32Yjizt2_s

Written on November 16, 2016