Do not run Docker images with an option like -v /var/run/docker.sock://var/run/docker.sock, which exposes the socket in the resulting container.ĭocker provides “rootless mode”, which lets you run Docker daemons and containers as non-root users.Never make the daemon socket available for remote connections, unless you are using Docker's encrypted HTTPS socket, which supports authentication.To avoid this issue, follow these best practices: This option should be enabled with care, especially in production containers.
Take note that it is possible to bind the daemon socket to a network interface, making the Docker container available remotely. If anyone else obtains access to the socket, they will have permissions equivalent to root access to the host. By default, this socket is owned by the root user. The Docker daemon socket is a Unix network socket that facilitates communication with the Docker API. For example, a successful kernel exploit can enable attackers to break out of a non-privileged container and gain root access to the host.
Since the kernel is shared by the container and the host, kernel exploits when an attacker manages to run on a container can directly affect the host. It is essential to patch both Docker Engine and the underlying host operating system running Docker, to prevent a range of known vulnerabilities, many of which can result in container espaces. We also added a bonus section summarizing the security best practices of the Docker CIS Security Benchmark, so you can be aware of secure configuration best practices. Save Troubleshooting Data Separately from Containers Use Metadata Labels for Images Use Multi Stage Builds Secure Container Registries Use Fixed Tags for Immutability Monitoring Containers Monitor Container Activity Secure Containers at Runtime Restrict System Calls from Within Containers Securing Images Scan & Verify Container Images Use Minimal Base Images Don’t Leak Sensitive Info to Docker Images In this article, you will learn about the following Docker security best practices:ĭocker and Host Configuration Keep Host and Docker Up to Dateĭo Not Expose the Docker Daemon Socket Run Docker in Rootless Mode Avoid Privileged Containers Limit Container Resources Segregate Container Networks Improve Container Isolation Set Filesystem and Volumes to Read only Complete Lifecycle Management We compiled 20 essential Docker security best practices into the most comprehensive hands-on guide that will help you build more secure containers. Still, a lot of the same principles around Docker security apply for protecting container-based applications built with other tools as well.
While Docker has become synonymous with containers, various container tools and platforms have emerged to make the process of developing and running containers more efficient.
0 kommentar(er)
