Docker security best practices Overview, docker Best Practices

Source: Internet
Author: User

Docker security best practices Overview, docker Best Practices

/**************************************** *********
* Author: Samson
* Date: 08/07/2015
* Test platform:
* Gcc (Ubuntu 4.8.2-19ubuntu1) 4.8.2
* GNU bash, 4.3.11 (1)-release (x86_64-pc-linux-gnu)
* Nginx version:
* Nginx 1.6.2
* Nginx 1.8.0
***************************************** *******/

1. GRSEC and PaX

Reinforce the host system.


2. Use Docker in combination with AppArmor/SELinux/TOMOYO

Use mandatory access control (MAC) to control resource access for various resources used in Docker based on the specific analysis of business scenarios.


3. Limit traffic with iptables

Netfilter is used to sort out the inbound and outbound access to the network based on the actual port that the application will be accessed from the Internet, the interactive network address, port, and Protocol between the application and the Internet, generate a whitelist and use uptables for configuration to restrict access;


4. Do not run software as root: Do not use the root user to run the application.

In actual application use, there are some operations that must be performed by the root user, so from the security perspective, this part needs to be decoupled from the part executed with only the common user permission. In docker, how does one use the common user permission to implement the part that does not require the root permission?


When writing dockerfile, use a command similar to the following to create a user with normal permissions and set the created UID to the user who will run the program later, as follows:

RUN useradd noroot-u 1000-s/bin/bash -- no-create-home

USER noroot

RUN Application_name


Docker command reference:

Https://docs.docker.com/reference/builder/#user

Https://docs.docker.com/reference/builder/#run


5. Do not use the -- privileged option during docker run.

By default, a Docker container has no privileges. By default, a container cannot access any device. When the -- privileged option is used, this window can access all devices. For example, if this option is enabled, you can perform operations on all devices under/dev/in the Host. If you do not want to access some devices on the host, you can use -- device to add devices instead of all devices.


Ref:

Https://docs.docker.com/reference/run/#security-configuration


6. Use-cap-drop and-cap-add

These two options may be used for more fine-grained control settings. You can add or delete GNU Linux capabilities in this container. The parameter names that can be used support all the capabilities on the webpage http://linux.die.net/man/7/capabilities.


Ref:

Https://docs.docker.com/reference/run/#security-configuration

Http://linux.die.net/man/7/capabilities


7. Pay attention to docker vulnerability information and promptly update the security patches for fixing vulnerabilities.


REF:

Http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/

Copyright Disclaimer: This article is an original article by the blogger and cannot be reproduced without the permission of the blogger.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.