Docker Container Security : Best practice Explained

0
572
Docker Container Security

Docker and Container

Docker is a tool which quickly lets you to create light weight VMS with your code and deploy it as fast as possible through different services in various containers. Docker consists of various type of Containers (Docker VM’s) and Docker Hub (Online Docker’s VM sharing service). From within docker we see whole system but from base machine we just see one process running for each docker instance. There is a very smooth way of working inside Docker containers in which a system is built in such a way that developers, testers and Administrators can work together to deploy a code in faster way.

The main part of Docker which is widely used is Container. We do have containers before Docker, but Docker people have made it easy and fast process to build new containers (aka Virtual machines). To More about Docker Click Here

docker vm container

Docker comes with security measures. It is secure by default (as it seems) but to use your docker safely, you need to be aware of many threats.

1- KERNEL EXPLOITS

Setuid and Setgid bins can be exploited by attackers. So you need to disable the SETUID rights by adding this line to the Dockerfile:

FROM Ubuntu:Xenial
RUN find / -perm +6000 -type f -exec chmod a-s {} ; 
|| true

2- DENIAL OF SERVICE (DOS) Threats

To avoid a denial of service attempts while docker is using kernel resources you need to make sure that containers are belonging to many users and different VMs and by modifying the container CPU share (1024 by default)  in addition of limiting the maximum memory consumed by every container.

# docker run -d -c 512  imagename
# docker run -m 512m   imagename

3- BREAKOUT and Access to the Host:

Turn off the INTER-CONTAINER COMMUNICATION which is enabled by default.

# docker -d –icc=false –iptables

4- POISONED IMAGES

To defend against poisoned Images (for example Injected images) you need to verify them. Because you need to make sure that the images are trusted and signed.

# docker pull someimage@sha256:a25306f3850e1bd44541976aa7b5fd0a29be 
(succeed if the image is signed)

To enable content trust in a bash shell

export DOCKER_CONTENT_TRUST=1

5- Database Passwords and data theft:

To prevent attackers from taking control and gaining access you need to follow this steps:

-Make the filesystem Read-Only by setting CONTAINER FILE SYSTEM TO READ-ONLY:

 # docker run –read-only ubuntu touch x

– Don’t run Docker as root and set a User:

RUN groupadd -r user && useradd -r -g user user
USER user

– Don’t use environment variables to share secrets and don’t run containers with the –privileged FLAG

NO COMMENTS