Most businesses worldwide today choose the path of containers for deployment of services and servers. One of the most widely used tools for containers is Docker. Docker provides a few security features by default but in some cases, the default security alone is not sufficient. We will be looking at various ways Docker containers can be secured.
1. -u flags
Make sure that you start Docker containers with the –u flags. This will ensure that the container will run as a normal user and not the root.
2. Docker Hub Paid Plan:
Since you are using third party containers for your Docker, they might contain malicious code or they are not well secured. To solve this issue, one option is to go for Docker Hub paid plan. This option ensures that the repositories are scanned and are well secured. You opt to choose only officially recognized containers which are pre-scanned and well secured. For example, to deploy a WordPress container you need to provide the below command
sudo docker search WordPress
You will see a lot of entries of various third party WordPress containers which are available for deployment. The very first entry will be Bitnami WordPress. You will be able to see “ok” tag under the official column.
3. Remove SUID flags:
As discussed earlier the very first step is to start Docker with the –u tag. This itself is not enough to prevent all the attacks. Some of the container image files are by default have the SUID flags set. SUID is a special file permission which allows ownership during execution. You should either unset these tags or complete delete those files. This will prevent escalation attacks. To unset SUID please use the below command.
RUN for i in `find / -perm +6000 -type f`; do chmod a-s $i; done
4. Docker Content Trust:
Docker comes with a security feature called as “Docker Container Trust”. This will ensure that only those container images which are verified and authenticated will be allowed to use. Unfortunately, this is not enabled by default in Docker. To enable this use the following command
sudo export DOCKER_CONTENT_TRUST=1.
5. Restrict Resources for your containers
Containers, when infected or attacked, might end up consuming a lot of resources like memory and CPU. This can be prevented by setting limits on the resources each container can consume. This is achieved by using the following commands.
To set memory limit:
To restrict CPU usage
where X is the number of CPUs made available for this container
6. Use Namespaces
A namespace is a simple option to secure containers. When enabled, it will make sure that the process running in one container cannot affect other containers. This container isolation is a good approach to secure other containers.
7. Docker Bench Security
This is a handy script which will scan your Docker containers for various aspect and reports the results on which you can act upon. Here are some of the tests that can be performed by Docker bench security like the host configuration, Docker daemon configuration, container images, container runtime, etc. You can download the Docker bench script from Git clone using the command below.
git clone https://github.com/docker/docker-bench-security.git
To run the script,
sudo sh docker-bench-security.sh
The result of this command will check your Docker for various security aspects a detailed report will be displayed which will show which of tests are passed and which ones have warnings.