Monday, December 23, 2024

Day 20: Docker Security – DEV Community

Programming LanguageDay 20: Docker Security - DEV Community


Welcome to Day 20 of Advent of Docker! Today we’ll cover essential security practices for Docker. Security is crucial – a misconfigured container can compromise your entire host system. These are some of the most important rules in my opinion, but the list is definitely not complete. Security is a never-ending journey 🙂

1. Keep Host & Docker Updated

The host kernel is shared between containers, so vulnerabilities like Dirty COW or Leaky Vessels can affect all containers. Always:

  • Update the host system regularly
  • Keep Docker Engine updated
  • Enable automatic security updates where possible

2. Protect the Docker Daemon Socket

The Docker socket (/var/run/docker.sock) is a critical security point. Access to it means root access to the host.

Don’t do this:

volumes:
  - "/var/run/docker.sock:/var/run/docker.sock" # Dangerous!
Enter fullscreen mode

Exit fullscreen mode

Never:

  • Expose the Docker daemon socket to containers
  • Enable TCP socket without TLS
  • Run Docker with -H tcp://0.0.0.0:2375

3. Use Official Images

Base images are your security foundation:

Good

FROM ubuntu:22.04
Enter fullscreen mode

Exit fullscreen mode

Better

FROM ubuntu:22.04-slim
Enter fullscreen mode

Exit fullscreen mode

Best for production

FROM scratch # For compiled languages
FROM distroless # For interpreted languages
Enter fullscreen mode

Exit fullscreen mode

4. Run as Non-Root

Create a dedicated user in your Dockerfile:

RUN groupadd -r app && useradd -r -g app -d /home/app -s /sbin/nologin -c "Docker image user" app
USER app
Enter fullscreen mode

Exit fullscreen mode

5. Use Multi-Stage Builds

Reduce attack surface by keeping only what’s needed! Check out Day 13 for more details!

6. Limit Resources

Limit the impact of a DoS attack by setting resource limits, like memory and CPU. Check out Day 19 for more details!

7. Use Vulnerability Scanners

Vulnerability scanners help you catch security issues in your images. There are quite a few available, but Docker Desktop ships one called Docker Scout by default:

One important thing to note is that vulnerability scanners will always have false-positives. They will find issues that are not actually a problem. Always verify the results and check if the issue is actually a problem for your use case!

Conclusion

As said in the beginning, this list is not complete and there are many more things to consider. Security is a never-ending journey and you should always be learning.

Here are some resources that I found helpful:

Until then, happy containerizing! 🐳

Jonas

Check out our other content

Check out other tags:

Most Popular Articles