Introduction
Docker containers and Kubernetes are the driving force of a modern software development life cycle. Although Docker is a safer option than working on the host machine directly, many potential security issues may arise while working with containers.
This article includes ten container security best practices that can help you prevent attacks and security breaches.
1. Update Docker and Host Regularly
Make sure your host and Docker are up to date. Use the latest OS release and containerization software to prevent security vulnerabilities. Each update includes critical security patches that are essential for protecting the host and data.
Keeping Docker updated is not limited to the platform itself. Running containers do not update automatically. You should also update containers and the images they are based on.
Note: If you need help updating existing containers, refer to How to Update Docker Image and Container to the Latest Version.
2. Configure Resource Quotas
To avoid compromised containers that over-consume resources, set Docker memory and CPU usage limits.
Without configuring resource quotas, you give the container access to the host’s full RAM and CPU resources. As this is the default setting, it is advised to limit the amount of resources a container can use, so it doesn’t disrupt other services.
Not only does this prevent a container from using up all the resources, but it also helps keep a Docker environment efficient. Resource quotas ensure containers run at the anticipated speed and enhance security.
3. Use Non-Root Users
Docker allows running a container in privileged mode. Although it may be a faster way to bypass some security protocols, you should always restrain from using this practice.
The danger of running a privileged container is that it opens the door for potential malicious activity. A privileged Docker user has the same privileges as the root. This means it has access to kernel features and other devices on the host. A malicious user may enter your host system through the container and endanger everything on it.
Sticking to non-root users exclusively is simple, as it is Docker’s default settings. To modify the default configuration, you would have to add the --privileged flag to the docker run command. However, this is a significant safety hazard and should not be utilized.
4. Limit Capabilities
Containers have a restricted set of Linux capabilities. For example, they can allow a user to run a container with root-like efficiency but without full root privileges.
Docker’s limited capabilities are the default security settings and they are the same for each container. Therefore, it is recommended to modify the capabilities to include only what is needed. The administrator manages them using the --cap-add and --cap-drop options.
The safest way to configure container capabilities is to remove all (using the --cap-drop=ALL option) and then add the required ones.
For a list of all the capabilities and abbreviations, refer to the Linux manual page’s capabilities section.
5. Prohibit New Privileges
As seen in the example above, Docker allows changing containers’ capabilities and privileges after they have been launched. To prevent privilege escalation attacks, it is a good idea to define container privileges.
To disable container processes from gaining new privileges, use the --security-opt flag with the value no-new-privileges:true. Adding the flag to the docker run command overwrites any rules you set using the --cap-add and --cap-drop options..
Additionally, you can remove or disable the setuid and setgid binaries in the images. Doing so ensures the feature is not used for path traversal/injection, buffer overruns, and privilege escalation attacks.
Note: Read our article to learn more about Privileged Access Management.
6. Use Trusted Images
When pulling an image from online registries, make sure it is from a secure, trusted source. The safest option is sticking to the official Docker hub. Avoid public third-party registries which lack control policies.
If using online libraries, always review the content inside the image. Also, use image scanning tools to search for vulnerabilities before downloading anything on the host system.
It is best to check out Docker Hub and see whether you can find the desired image there. It is the world’s largest library and community for Docker with over 100,000 container images.
Note: You should scan images regularly, not just when downloading them from an online registry. Even local images that haven’t been utilized for a while should be scanned before building a container.
7. Keep Images and Containers Light
Minimize Docker containers’ attack surface by using a minimal base image and reducing the number of container components. Keeping the image size small helps prevent security breaches and speeds up container performance.
For tips on how to reduce image size, refer to How to Keep Docker Images Small.
8. Secure Registries
A Docker registry is a content delivery system used to store and provide images for your containers. You can use Docker’s official online registry or set up a private registry on your host.
For an enterprise-level image storage solution, you should use the Docker Trusted Registry (DTR). You can install the registry behind your firewall to help prevent potential breaches.
9. Don’t Expose the Docker Daemon Socket
Docker communicates with a UNIX domain socket called /var/run/docker.sock. This is the main entry point for the Docker API. Anyone who has access to the Docker daemon socket also has unrestricted root access.
Allowing a user to write to /var/run/docker.sock or exposing the socket to a container is a great security risk to the rest of the system. Doing so essentially gives it root privileges.
Mounting the Docker socket inside a container does not restrict it to privileged access within the container. It allows the container full control of the host and all other containers. Therefore, it is not a recommended practice.
10. Monitor APIs and Network Activity
APIs and networks play a crucial role in Docker security. Docker containers communicate through APIs and networks. Therefore, to avoid intrusion, the architecture must be configured securely.
Security administrators have recently discovered a new type of attack that exploits misconfigured Docker APIs. Hackers take advantage of poorly configured APIs and network security, use it to deploy an image, and run a malicious container on the host system.
Apart from setting up the networks and APIs securely, you also need to monitor activities to catch potential anomalies.
Conclusion
The Docker security tips outlined in this article should help you prevent possible Docker security breaches and privilege attacks.
If you are still getting used to working with Docker, you can also download a handy reference sheet with all the useful Docker commands.
