10 Docker Security Best Practices

September 14, 2020

Introduction

Docker containers and Kubernetes are the driving force of a modern software development life cycle. Although Docker is a safer option than working on the host machine directly, many potential security issues may arise while working with containers.

This article includes ten container security best practices that can help you prevent attacks and security breaches. 

Docker security best practices.

1. Update Docker and Host Regularly

Make sure your host and Docker are up to date. Use the latest OS release and containerization software to prevent security vulnerabilities. Each update includes critical security patches that are essential for protecting the host and data.

Keeping Docker updated is not limited to the platform itself. Running containers do not update automatically. You should also update containers and the images they are based on.

Note: If you need help updating existing containers, refer to How to Update Docker Image and Container to the Latest Version.

2. Configure Resource Quotas

To avoid compromised containers that over-consume resources, set Docker memory and CPU usage limits.

Without configuring resource quotas, you give the container access to the host’s full RAM and CPU resources. As this is the default setting, it is advised to limit the amount of resources a container can use, so it doesn’t disrupt other services.

Not only does this prevent a container from using up all the resources, but it also helps keep a Docker environment efficient. Resource quotas ensure containers run at the anticipated speed and enhance security.

3. Use Non-Root Users

Docker allows running a container in privileged mode. Although it may be a faster way to bypass some security protocols, you should always restrain from using this practice.

The danger of running a privileged container is that it opens the door for potential malicious activity. A privileged Docker user has the same privileges as the root. This means it has access to kernel features and other devices on the host. A malicious user may enter your host system through the container and endanger everything on it.

Sticking to non-root users exclusively is simple, as it is Docker’s default settings. To modify the default configuration, you would have to add the --privileged flag to the docker run command. However, this is a significant safety hazard and should not be utilized.

4. Limit Capabilities

Containers have a restricted set of Linux capabilities. For example, they can allow a user to run a container with root-like efficiency but without full root privileges.

Docker’s limited capabilities are the default security settings and they are the same for each container. Therefore, it is recommended to modify the capabilities to include only what is needed. The administrator manages them using the --cap-add and --cap-drop options.

The safest way to configure container capabilities is to remove all (using the --cap-drop=ALL option) and then add the required ones.

For a list of all the capabilities and abbreviations, refer to the Linux manual page’s capabilities section.

5. Prohibit New Privileges

As seen in the example above, Docker allows changing containers’ capabilities and privileges after they have been launched. To prevent privilege escalation attacks, it is a good idea to define container privileges.

To disable container processes from gaining new privileges, use the --security-opt flag with the value no-new-privileges:true. Adding the flag to the docker run command overwrites any rules you set using the --cap-add and --cap-drop options..

Additionally, you can remove or disable the setuid and setgid binaries in the images. Doing so ensures the feature is not used for path traversal/injection, buffer overruns, and privilege escalation attacks.

Note: Read our article to learn more about Privileged Access Management.

6. Use Trusted Images

When pulling an image from online registries, make sure it is from a secure, trusted source. The safest option is sticking to the official Docker hub. Avoid public third-party registries which lack control policies.

If using online libraries, always review the content inside the image. Also, use image scanning tools to search for vulnerabilities before downloading anything on the host system.

It is best to check out Docker Hub and see whether you can find the desired image there. It is the world’s largest library and community for Docker with over 100,000 container images.

Note: You should scan images regularly, not just when downloading them from an online registry. Even local images that haven’t been utilized for a while should be scanned before building a container.

7. Keep Images and Containers Light

Minimize Docker containers’ attack surface by using a minimal base image and reducing the number of container components. Keeping the image size small helps prevent security breaches and speeds up container performance.

For tips on how to reduce image size, refer to How to Keep Docker Images Small.

8. Secure Registries

A Docker registry is a content delivery system used to store and provide images for your containers. You can use Docker’s official online registry or set up a private registry on your host.

For an enterprise-level image storage solution, you should use the Docker Trusted Registry (DTR). You can install the registry behind your firewall to help prevent potential breaches.

9. Don’t Expose the Docker Daemon Socket

Docker communicates with a UNIX domain socket called /var/run/docker.sock. This is the main entry point for the Docker API. Anyone who has access to the Docker daemon socket also has unrestricted root access.

Allowing a user to write to /var/run/docker.sock or exposing the socket to a container is a great security risk to the rest of the system. Doing so essentially gives it root privileges.

Mounting the Docker socket inside a container does not restrict it to privileged access within the container. It allows the container full control of the host and all other containers. Therefore, it is not a recommended practice.

10. Monitor APIs and Network Activity

APIs and networks play a crucial role in Docker security. Docker containers communicate through APIs and networks. Therefore, to avoid intrusion, the architecture must be configured securely.

Security administrators have recently discovered a new type of attack that exploits misconfigured Docker APIs. Hackers take advantage of poorly configured APIs and network security, use it to deploy an image, and run a malicious container on the host system.

Apart from setting up the networks and APIs securely, you also need to monitor activities to catch potential anomalies.

Conclusion

The Docker security tips outlined in this article should help you prevent possible Docker security breaches and privilege attacks.

If you are still getting used to working with Docker, you can also download a handy reference sheet with all the useful Docker commands.

Was this article helpful?
YesNo
Sofija Simic
Sofija Simic is an experienced Technical Writer. Alongside her educational background in teaching and writing, she has had a lifelong passion for information technology. She is committed to unscrambling confusing IT concepts and streamlining intricate software installations.
Next you should read
How To Install and Use Docker on Ubuntu 20.04
April 6, 2023

Install Docker on Ubuntu 20.04 using the default repository or from the official Docker repository with the...
Read more
Docker Volumes: How to Create & Get Started
July 27, 2020

Persist data in Docker containers by mounting Docker volumes to containers. You can use an existing host...
Read more
How to Deploy and Run Redis in Docker
July 23, 2020

The tutorial shows you how to deploy Redis using the Docker run command. Also, learn how to deploy Redis on...
Read more
How to Override Entrypoint Using Docker Run
September 18, 2024

Entrypoint is a Docker instruction used to set up the default executable when the container is run. You can...
Read more