Docker security best practices Overview, docker Best Practices
/**************************************** *********
* Author: Samson
* Date: 08/07/2015
* Test platform:
* Gcc (Ubuntu 4.8.2-19ubuntu1) 4.8.2
* GNU bash, 4.3.11 (1)-release (x86_64-pc-linux-gnu)
* Nginx version:
* Nginx 1.6.2
* Nginx 1.8.0
***************************************** *******/
1. GRSEC and PaX
Reinforce the host system.
2. Use Docker in combination with AppArmor/SELinux/TOMOYO
Use mandatory access control (MAC) to control resource access for various resources used in Docker based on the specific analysis of business scenarios.
3. Limit traffic with iptables
Netfilter is used to sort out the inbound and outbound access to the network based on the actual port that the application will be accessed from the Internet, the interactive network address, port, and Protocol between the application and the Internet, generate a whitelist and use uptables for configuration to restrict access;
4. Do not run software as root: Do not use the root user to run the application.
In actual application use, there are some operations that must be performed by the root user, so from the security perspective, this part needs to be decoupled from the part executed with only the common user permission. In docker, how does one use the common user permission to implement the part that does not require the root permission?
When writing dockerfile, use a command similar to the following to create a user with normal permissions and set the created UID to the user who will run the program later, as follows:
RUN useradd noroot-u 1000-s/bin/bash -- no-create-home
USER noroot
RUN Application_name
Docker command reference:
Https://docs.docker.com/reference/builder/#user
Https://docs.docker.com/reference/builder/#run
5. Do not use the -- privileged option during docker run.
By default, a Docker container has no privileges. By default, a container cannot access any device. When the -- privileged option is used, this window can access all devices. For example, if this option is enabled, you can perform operations on all devices under/dev/in the Host. If you do not want to access some devices on the host, you can use -- device to add devices instead of all devices.
Ref:
Https://docs.docker.com/reference/run/#security-configuration
6. Use-cap-drop and-cap-add
These two options may be used for more fine-grained control settings. You can add or delete GNU Linux capabilities in this container. The parameter names that can be used support all the capabilities on the webpage http://linux.die.net/man/7/capabilities.
Ref:
Https://docs.docker.com/reference/run/#security-configuration
Http://linux.die.net/man/7/capabilities
7. Pay attention to docker vulnerability information and promptly update the security patches for fixing vulnerabilities.
REF:
Http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/
Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.