Here are some great tips to help you secure your Docker environment, which is essential to ensure smooth operations.
Containers are being increasingly utilised by organisations to manage their application deployment lifecycle. This article discusses the importance of securing the Docker environment, a crucial tool for managing the entire container management ecosystem. It highlights the need for a secure environment to ensure the smooth operation of Docker.
Here are a few best practices that can be followed to enable this environment.
Docker daemon
Sometimes, we need to access the Docker daemon from a remote machine for this. Usually, we need to enable the tcp socket. Beware that the default setup provides un encrypted and unauthenticated direct access to the Docker daemon, and should be secured either using the built-in HTTPS encrypted socket, or by putting a secure web proxy in front of it. You can listen on port 2375 on all network interfaces with -H tcp://0.0.0.0:2375, or on a particular network interface using its IP address: -H tcp://192.168.59.103:2375. It is conventional to use port 2375 for unencrypted, and port 2376 for encrypted communication with the daemon.
Non-root user
Avoid using root user to run containers. Instead, we can use a normal (non-root) user which can be added to the Docker group, as assigning sudo permissions for non-root users can be dangerous. It’s highly recommended to use root-less mode for dealing with containers using Docker. Use the following command for this.
sudo groupadd docker sudo usermod -aG docker $USER
Volume mount
While using volumes, pay detailed attention, as this could be one of the most vulnerable options. Avoiding Docker socket mount is one of the best practices to secure Docker. Here is an example of volume mount that is extremely vulnerable for applications based on containers.
-v /var/run.docker.sock:/var/run/docker.sock
Securing the base machine
Check if the base/host machine is updated with the latest version of Docker and all the patches have been applied for the same.
Scanning image vulnerabilities
If you are pulling images from non-official repos, scan them and check for image vulnerabilities before using them for further application deployment. Scanning tools like Clair, ThreatMapper, and Trivy are excellent free open source tools for scanning image vulnerabilities.
DevOps engineers nowadays use Dockerfile extensively for application deployment. When using Dockerfiles, follow these security practices:
- Add non-root user to Docker image
- Add health check
- Remove unwanted packages from the image
- Use multi-stage build
- Use COPY instead of ADD
- Use the official Docker image
While running containers, follow these security best practices:
- Avoid using system reserved port numbers
- Assign CPU/memory limit to the container
API calls
More than 85% of vulnerabilities are invoked during API calls. Docker has a Docker client installation feature which uses API calls. When dealing with such API calls we must take the necessary precautions. Using tools like nmap to scan those API-exposed calls is a good practice.