Docker security

Detaching from the container without stopping Ctrl-P Ctrl-Q

Create docker user

$ sudo useradd dockeradmin
$ sudo passwd dockeradmin
$ sudo usermod -aG docker dockeradmin

1. Users are not namespaced. Root in container is root on host. Create a user in Dockerfile. Change to the user via USER or su/sudo/gosu

RUN groupadd -r user && useradd -r -g user user
USER user

2. Set container FS to read-only

$ docker run --read-only debian touch x
touch: cannot touch 'x': Read-only file system

3. Set Volumes to read-only/Use Data Volume Containers

$ docker run -v $(pwd)/secrets:/secrets:ro debian touch /secrets/x
touch: cannot touch '/secrets/x': Read-only file system

$ docker run --volumes-from my-secret-container myimage

4. Drop capabilities

$ docker run --cap-drop SETUID --cap-drop SETGID myimage
$ docker run --cap-drop ALL --cap-add ...


$ docker run -d myimage
$ docker run -d -c 512 myimage

6. Set Memory limits

$ docker run -m 512m myimage

7. Defang setuid/setgid binaries

// to find them
$ docker run debian \
   find / -perm +6000 -type f -exec ls -ld {} \; 2> dev/null

// to defang them
FROM debian:wheezy
RUN find / -perm +6000 -type f -exec chmod a-x {}; \; || true


8. Auditing (Immutable infrastructure, Audit images, not containers)

$ docker diff ...
$ scalock
$ twistlock
$ clair