When it comes to containerization, Docker has easily become the most widely adopted technology. As businesses and users in the industry look toward using containers to cut costs, scale services, and steamline implementation of numerous applications, an important aspect that should not be overlooked is the security of Docker. Docker is commonly lauded as being more secure than traditional deployments, and, while true, we still must be aware of potential security flaws to prevent the exploitation of such a powerful tool.
In this tutorial, we will go over some of the most important security measures for Docker on a Linux system. These are best practices that should be adhered to by system administrators in order to ensure that their containerized applications in Docker are kept safe against potential exploits and malicious users.
In this tutorial you will learn:
- Top 5 best practices for securing Docker on Linux
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Any Linux system |
| Software | Docker |
| Other | Privileged access to your Linux system as root or via the sudo command. |
| Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Docker Security Best Practices
Below, we will count down five of the most important recommendations for keeping your Docker environment and its containerized applications secure.
Docker is the biggest name in containerization, although there are a slew of other tools that can also do the job. Many Linux administrators get started with Docker to build out applications that can be packaged into a container and easily deployed on any system. This is also a great way for developers to share their work, as anyone with Docker can run the application.
1. Avoid Using Root Permissions
Linux users should already be trying to minimize the use of administrative privileges whenever possible. This is already a golden rule of Linux systems, where the root account should be exclusively used to carry out important tasks and commands that can’t be realized by ordinary user accounts.
The same rule applies to Docker containers. Developers will sometimes lazily or haphazardly assign more permissions than necessary to a Dockerized application, rather than taking the time to decide exactly which privileges are necessary and delegating them accordingly. Such an oversight can have dire consequences if a user manages to gain control of an application, effectively giving them free rein over the environment.
We can bypass this pitfall by making sure we do not run containers as root (verify USER inside of the Dockerfile to ensure this) and avoid executing containers with options such as --id 0 or --privileged. We can also avoid running Docker itself as root in most situations, although this is not as important of a precaution as the aforementioned points.
2. Update Regularly – With Caution
Updates for Docker images are usually a good thing. They introduce new features, security patches, etc. So, it is generally recommended to fetch updates regularly and keep all of your Docker images up to date. However, in sensitive environments where uptime is ultra important, additional measures can be taken to pre-stage these changes before rolling them out into production.
Although updates are generally a good thing, they can also introduce breaking changes or unstable features that have not yet had the kinks worked out. In an environment that utilizes many Docker containers and requires extra attention to ensuring uptime, we can take advantage of technologies like Kubernetes, which will allow us to roll out udpdates gradually and monitor applications for errors in case we need to abort the updates and roll back.
See also: Kubernetes vs Docker, what’s the difference?
3. Use Official Images
Whenever possible, opt for using official images that are provided for download on Docker Hub. These images receive regular updates and are run by developers in the Docker community, thus are generally more reliable and have better longevity than images maintained by miscellaneous users on other websites.
For example, common applications like NGINX or Ubuntu have official images available on Docker Hub. Using them is very easy, as this capability is already baked into Docker by default:
# Pull an official nginx image from Docker Hub: $ docker pull nginx:latest
The same command shown above can also be used to update the image.
4. Limit Container Capabilities
This recommendation goes hand in hand with our first one, which is to avoid using root permissions. By the same token, we should also limit the capabilities of our Docker containers in what ever ways possible. Containers should generally run with only the bare minimum permissions that they need in order to perform their job correctly. Since Docker applications usually have a very specific role, we can get highly precise with what capabilities we assign.
One such way to limit capabilities is by use of the --internal flag. This prevents a Docker container from accessing anything outside the internal network, which is often not a necessary permission that we need to delegate. So, Docker containers can still communicate with each other (if configured properly), but not the external network of the host system. For Docker applications that have been configured to be accessed via proxy, the --internal flag is something that can be used all the time.
The --cap-drop=ALL option will reduce Linux capabilities to the bare minimum, which many applications do not require. We can combine this option with others like --cap-add=NET_BIND_SERVICE to bind a service to a specific port without requiring root permissions.
5. Security Audits With Docker Bench Security
The developers of Docker know that it is a complex application with many facets to be secured. It is too much to expect every Linux administrator to familiarize themselves intimately enough with Docker in order to check every single setting for potential security shortcomings.
That is why Docker Bench Security exists, which comes from the official Docker GitHub and will carry out a security audit on your Docker setup. It essentially executes a set of Bash scripts that perform a variety of checks on the security of your environment, and then reports back with threats found and measures that can be taken to harden your setup.
It is as simple as cloning the repo and then executing the script:
$ git clone https://github.com/docker/docker-bench-security.git $ cd docker-bench-security $ sudo sh docker-bench-security.sh
Closing Thoughts
In this tutorial, we went over a list of the top five best practices for securing Docker on a Linux system. Although Docker is a relatively new technology, we find that many of its best practices are similar to those employed on traditional Linux systems, such as the limiting of capabilities, security auditing tools, installing updates, and using trusted software. Using Docker, in and of itself, along with these top recommendations will help keep your applications secure by minimizing the attack surface more than a traditional deployment ever could.
