/*************************************************
* Author:samson
* date:08/07/2015
* Test Platform:
* GCC (Ubuntu 4.8.2-19ubuntu1) 4.8.2
* GNU Bash, 4.3.11 (1)-release (X86_64-PC-LINUX-GNU)
* Nginx Version:
* Nginx 1.6.2
* Nginx 1.8.0
* ***********************************************/
1. Grsec and PaX
Strengthen the host system.
2. Use Docker in combination with Apparmor/selinux/tomoyo
Use mandatory access control (mandatory access controls (MAC)) to control the resources used in Docker based on the specific analysis of the business scenario.
3. Limit Traffic with Iptables
Access to the network using NetFilter based on the actual application will be the external network access to the port, the application will be with the extranet network address, port, protocol, etc. to comb, white list generation and use Uptables to configure to restrict access;
4. Do not run software as root: Don't run the application using the root user
In actual application use, there are some operations that must be performed by the root user, and from a security standpoint it is necessary to decouple this part from the part that is performed only with ordinary user rights. So how do you use normal user rights in Docker to implement parts that do not require root access?
When writing dockerfile, use a command similar to the following to create a user with normal permissions and set the user to create the UID to run the program later, as follows:
RUN useradd noroot-u 1000-s/bin/bash--no-create-home
USER Noroot
RUN Application_name
Docker Command Reference:
https://docs.docker.com/reference/builder/#user
https://docs.docker.com/reference/builder/#run
5. Do not use the--privileged option when Docker run
By default, the Docker container is not privileged, and the default container is not allowed to access any devices, and when the--privileged option is used, this window will have access to all devices. For example: When this option is turned on, all devices under/dev/in host can be manipulated. If you are not accessing certain devices on the host, you can use--device to add devices instead of all the devices.
REF:
https://docs.docker.com/reference/run/#security-configuration
6, Use–cap-drop And–cap-add
The ability to use these two options for finer-grained control settings can add or remove GNU Linux capabilities in this container, the parameter names that you can use support http://linux.die.net/man/7/capabilities all capability option parameters in this Web page.
REF:
https://docs.docker.com/reference/run/#security-configuration
Http://linux.die.net/man/7/capabilities
7. Focus on the vulnerability information of Docker and update the security patch to fix the bug in time.
REF:
http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/
Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.
Docker Security Best Practices Overview