Docker Security Tips​

Docker Port Configuration for Enhanced Security

When configuring Docker containers, it's crucial to avoid directly mapping ports like "3000:3000". Such
direct mapping can bypass the host's firewall, exposing your services to unauthorized access. Instead, for
scenarios where external access is necessary, map ports to localhost by using "127.0.0.1:3000:3000".
This configuration ensures that the service is only accessible from within the host, preventing external
connections through <your_server_ip>:3000, thereby enhancing security by limiting exposure to the
internal network only.​

Best Practices for Securing Docker Containers

Use Docker Content Trust: Ensure you only run signed images by enabling Docker Content Trust. This
enhances the security of your environment by preventing malicious or tampered images from being
executed.

Remove Unnecessary Linux Capabilities: Utilize the --cap-drop parameter to eliminate unnecessary
Linux capabilities from your containers, thus reducing the attack surface. For instance, docker run
--cap-drop=ALL --cap-add=NET_BIND_SERVICE keeps only the capability necessary for binding to
lower ports.

Implement Network Segmentation: Use Docker networks to create separate networks for different
types of containers. This isolates communication between them, limiting the risk of lateral movement in
case of a security breach.

Manage Sensitive Information with Docker Secrets: Employ Docker secrets for managing sensitive
data such as passwords or API keys. This practice helps in keeping such data out of your Docker images
and container configurations, enhancing security.

Utilize User Namespaces: Consider configuring user namespaces to run containers with a non-root user
inside. This reduces potential damage if a container is compromised. Configuration can be done in
Docker's daemon.json file.

Enable SELinux or AppArmor: Implement mandatory access control policies on your Docker containers
using SELinux or AppArmor. These systems provide an additional security layer by controlling what
actions processes can perform.

Regular Updates: Keep Docker Engine and your container images updated to patch known
vulnerabilities. Outdated software can be a significant security risk, exposing your containers to threats.
Read-Only Filesystems: When possible, mount your container's filesystem as read-only to prevent any
changes that could introduce vulnerabilities or misconfigurations. This can be done by adding ro to the
volume mount in your docker run command or Docker Compose file, e.g., -v
/path/to/data:/data:ro.
Limit Container Resources: Use Docker's resource constraints to limit CPU, memory, and I/O resources
to prevent a compromised container from overwhelming or crashing the host system. You can define
these limits in Docker Compose or via docker run with flags like --memory, --cpus, and
--blkio-weight.

Security Scanning: Integrate automated security scanning tools like Snyk, Clair, or Trivy into your CI/CD
pipeline to check Docker images for known vulnerabilities before deployment. This helps in catching
issues early in the development cycle.

Docker Bench for Security: Use Docker Bench for Security, a script provided by Docker to check for
dozens of common best-practices around deploying Docker containers in production. It can be run
periodically to ensure compliance with security standards.

Minimize Base Image Size: Opt for minimal base images like Alpine Linux or Distroless images which
have a smaller attack surface due to fewer installed packages. This reduces the number of potential
vulnerabilities.

Avoid Running as Root: Configure your Docker containers to run processes as non-root users. This can
be achieved by defining a user in the Dockerfile or using the --user flag with docker run. This practice
limits the damage if a container is compromised.

Seccomp Profiles: Use Seccomp (Secure Computing Mode) profiles to restrict the system calls that a
container can make, reducing the attack surface by limiting the capabilities of the container's processes.
Docker provides a default profile, but you can customize it for tighter security.

Logging and Monitoring: Implement comprehensive logging and monitoring solutions like Docker's
built-in logging drivers or third-party tools like ELK stack or Prometheus. This aids in detecting unusual
behavior or security incidents within containers.

Health Checks: Use Docker's healthcheck feature to regularly check the health of your containerized
applications. This can help in identifying when a container is not functioning as expected, which could be
a sign of a security issue.

Container Isolation: Use Docker's --security-opt flag to enhance isolation. For example,
--security-opt no-new-privileges prevents the container from gaining additional privileges after it
starts.

Regular Image Audits: Beyond automated scanning, perform manual audits of your Docker images
periodically to ensure no unnecessary software or configurations are present that could be exploited.

Secure API and Socket Access: Ensure that the Docker daemon's socket (/var/run/docker.sock)
is not exposed to containers unless absolutely necessary, as it provides full control over the Docker host.
Use --ipc=none or --pid=host cautiously.

.​
Immutable Infrastructure: Treat your Docker images as immutable. Once built and tested, they shouldn't
be modified in production. This practice ensures consistency and security by preventing runtime changes
that could introduce vulnerabilities.
Use Docker Compose for Local Development: For development environments, use Docker Compose
to define and manage multi-container setups securely. It helps in maintaining consistent configurations
across different environments and reduces the risk of misconfiguration.

Protect Docker Daemon Socket: Limit access to the Docker daemon socket. On production systems,
consider using Docker's TLS authentication or tools like Docker Socket Proxy to control who can interact
with the Docker daemon.

Implement Least Privilege Principle: Only grant the necessary permissions to containers. Use Docker's
--read-only flag to mount volumes read-only where possible, and avoid running containers with
--privileged unless absolutely necessary.

Regularly Rotate Secrets: Even with Docker secrets, make it a practice to rotate them periodically. This
reduces the risk associated with long-term exposure of secrets, even if they are securely stored.

Network Policies: Use Docker's networking capabilities to enforce strict network policies. For example,
define custom Docker networks with specific IPAM configurations or use tools like Calico for Kubernetes
to manage network policies in containerized environments.

Docker Security Benchmark: Follow the Center for Internet Security (CIS) Docker Benchmark, which
provides a comprehensive set of recommendations for securing Docker containers and hosts. It's a good
checklist to ensure you're covering all bases.

Avoid Exposing Sensitive Ports: Similar to the advice in the post you referenced, always consider the
security implications of exposing ports. Use Docker's host networking mode (--network host) with
caution as it bypasses Docker's network isolation.

Use Docker Health Probes Wisely: Health checks can also be used for security by ensuring that
containers are not only operational but also secure. For example, a health check might verify that certain
security-critical services are running or that no unauthorized processes are executing.

Implement Container Runtime Security: Tools like gVisor or Kata Containers provide an additional layer
of isolation by running containers in user-space or lightweight VMs, respectively, enhancing security by
isolating the container environment from the host kernel.

Docker Content Trust with Key Management: Beyond enabling Docker Content Trust, manage your
keys securely. Use hardware security modules (HSMs) or secure key management services to store and
manage the keys used for signing Docker images.

Audit Container Logs: Regularly audit logs from containers for signs of security breaches or anomalies.
Use centralized logging solutions to aggregate logs from multiple containers, making it easier to detect
patterns that might indicate security issues.

Container Escape Prevention: Stay updated with the latest security patches for Docker and the
underlying OS. Container escape vulnerabilities are critical, and timely updates can prevent exploitation.
Integrate with Security Information and Event Management (SIEM): Connect your Docker
environment with SIEM systems to correlate security events across your infrastructure, providing a
broader view of potential threats.

Use Docker's Built-in Security Features: Explore Docker's security features like user namespaces,
seccomp, and AppArmor profiles. Configure these in your dockerd daemon configuration or directly in
Docker run commands to enhance security.

Use Docker's --tmpfs for Temporary Files: When containers need temporary file storage, use the
--tmpfs flag to mount a tmpfs filesystem, which is stored in memory. This prevents data persistence and
reduces the risk of sensitive data being left on disk. Example: docker run --tmpfs
/tmp:rw,noexec,nosuid.

Implement Docker's ulimit: Use ulimit settings within Docker to control resource usage, like limiting
the number of open file descriptors, processes, or memory usage. This can prevent resource exhaustion
attacks. For example, --ulimit nofile=1024:1024 sets the maximum number of open files.

Secure Docker Registries: Ensure your Docker registry (like Docker Hub or a private registry) is secured
with strong authentication, authorization, and encryption (HTTPS). Use tools like Harbor or Nexus for
more advanced security features in private registries.

Dockerfile Best Practices: Keep your Dockerfiles clean by only including necessary commands,
avoiding RUN commands that install unnecessary software, and using multi-stage builds to reduce the
final image size, which in turn reduces the attack surface.

Use Docker's --device Cautiously: If your container needs direct access to host devices, use the
--device flag with caution to ensure only the necessary devices are exposed, limiting potential attack
vectors. Example: docker run --device=/dev/video0:/dev/video0.

Container Image Signing and Verification: Beyond Docker Content Trust, consider using tools like
Notary or Cosign for additional layers of image signing and verification, ensuring integrity and authenticity
from build to deployment.

Regular Vulnerability Assessments: Beyond static scanning, perform dynamic analysis or penetration
testing on your Docker containers in a controlled environment to uncover runtime vulnerabilities that static
tools might miss.

Secure Container-to-Container Communication: Utilize Docker's networking features like overlay

networks or mesh networking to secure communication between containers. Consider integrating with
service mesh solutions like Istio or Linkerd for advanced traffic management and security.

Implement Docker's --ipc and --pid Options Wisely: Use --ipc=none to isolate the IPC
namespace, preventing containers from sharing IPC resources which could be exploited. Similarly, use
--pid=host only when necessary, as it allows processes in the container to see all processes on the
host.
Audit Docker Daemon Configuration: Regularly review and audit the Docker daemon configuration
(daemon.json) for any misconfigurations. Ensure settings like live-restore are configured
appropriately to balance security with operational needs.

Use Docker's --security-opt for Additional Security: Besides no-new-privileges, you can use
--security-opt to specify AppArmor or SELinux profiles, or to disable seccomp for specific system
calls if needed for your application's functionality while maintaining security.

Container Image Provenance: Keep track of where your images come from. Use tools like Docker's
BuildKit or Kaniko for building images with traceable provenance, ensuring you know exactly what's in
your images and how they were constructed.

Implement Docker's --shm-size: Control the shared memory size allocated to containers with
--shm-size. This helps in preventing shared memory-based attacks by limiting the amount of shared
memory a container can use.

Implement Docker's --sysctl for Kernel Tuning: Use --sysctl to tune kernel parameters within the
container context, enhancing security by controlling things like TCP settings or kernel panic behavior.
Example: docker run --sysctl net.ipv4.ip_forward=0.

Secure Docker Swarm: If using Docker Swarm for orchestration, secure it by enabling mutual TLS for
node-to-node communication, using encrypted overlay networks, and implementing role-based access
control (RBAC) for managing swarm resources.​
​
Docker Rootless Mode: Run Docker in rootless mode to reduce the attack surface by not requiring root
privileges to run containers. This mode uses user namespaces to provide an additional layer of isolation,
significantly enhancing security by limiting the capabilities of the Docker daemon.

Implement Container Runtime Integrity Monitoring: Use tools like Falco for runtime security
monitoring. Falco can detect and alert on unexpected behavior within containers, such as unauthorized
file access or network connections, providing real-time security monitoring.

Use Docker's --init Flag: When running containers, use the --init flag to run an init process inside
the container. This helps manage zombie processes and provides a more stable environment, reducing
the risk of resource exhaustion or process-related security issues.

Secure Docker Compose Files: In multi-container applications, secure your Docker Compose files by
not storing sensitive information directly in them. Instead, use environment variables or external
configuration files, and leverage Docker secrets for sensitive data.

Implement Docker's --userns-remap: For enhanced isolation, use user namespace remapping
(--userns-remap) on the host to remap user IDs in containers to non-root users on the host, reducing
the impact if a container process escapes.
Docker Network Encryption: When possible, use encrypted Docker networks, especially in swarm
mode, to ensure that network traffic between containers is secure. This can be achieved with the overlay
network driver in Docker Swarm, which supports encryption.

Container Image Layers Analysis: Analyze the layers of your Docker images to understand what's
included in each layer. Tools like dive can help you inspect these layers, ensuring that no unnecessary or
insecure components are part of your image.

Docker Content Trust with Offline Keys: For environments with high security requirements, manage
your Docker Content Trust keys offline. This means generating and storing keys in a secure offline
location, reducing the risk of key compromise.

Implement Docker's --cgroup-parent: Use this flag to specify a cgroup parent for the container,
allowing for better resource management and isolation. This can help in controlling resource usage and
ensuring containers do not consume more than their allocated share.

Secure Docker Plugins: If using Docker plugins, ensure they are from trusted sources and regularly
updated. Plugins can introduce vulnerabilities, so maintaining their security is crucial.

Docker BuildKit Security: When using BuildKit for building Docker images, take advantage of its
security features like automatic secrets management (--secret) and better isolation during build
processes, which reduce the exposure of sensitive information during image construction.

Implement --security-opt systempaths=unconfined: This option allows containers to access

system paths like /proc, /sys, etc., but in a controlled manner. It's useful for applications that need
access to these paths but should be used cautiously as it can increase the attack surface.

Docker's --add-host for DNS Spoofing Prevention: Use --add-host to add specific host-to-IP
mappings within the container to prevent DNS spoofing attacks by ensuring critical services resolve to
known, secure IP addresses.

Implement Docker's --oom-score-adj: Adjust the out-of-memory (OOM) score of containers to control
which containers are killed first when the host runs out of memory. This can be a strategy to protect
critical services by ensuring less critical containers are terminated first.

Container Image Squashing: Use Docker's image squashing feature to reduce the number of layers in
your final image, which can help in reducing the attack surface by minimizing the exposure of
intermediate build steps.

Secure Docker Bench Automation: Automate running Docker Bench for Security in your CI/CD pipeline
to ensure continuous compliance with Docker security best practices. This can catch misconfigurations
before they reach production.