

Understanding Docker Security and Best Practices - adamveld12
https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/

======
zaroth
A large part of the document boils down to 'run with defaults', 'setup
auditing', and 'check file permissions', 'drop unneeded capabilities', 'define
sane limits', 'centralize and rotate logs', and 'make backups'. These are all
really great baseline steps. There were also I think a few Docker-specific
points worth highlighting;

\- Run with -icc=false. This should have been the default but isn't for legacy
reasons I think. By default there is no firewall between containers. icc=false
turns the inter-container firewall on. This is a pretty basic one, but easy
for new docker users to miss.

\- Host port mapping (e.g. -p 80) by default binds to 0.0.0.0:80 on the host
container. This could inadvertently expose your internal services to
unexpected interfaces. Specify the host IP you want to bind to explicitly
(e.g. -p 127.0.0.1:49123:8080)

\- Run inside containers as non-root. Most Dockerfiles you come across will
run as root inside the container. In your base image, 'RUN useradd' and in
your Dockerfiles add a 'USER' directive, and start the container with -u
<user>.

\- Set root file system as read-only inside the container. It enforces the
best practice that the container should be immutable anyway.

\- Instead of --restart:always, try --restart=on-failure:5 to avoid a possible
DoS or excessive flapping. Not sure if I 100% agree with this, but it's an
interesting suggestion.

~~~
general_failure
I have never managed the readonly container to work.

/var/run needs to be writable. /tmp needs to be writable and so on. I gave it
a shot again today:

$ docker run --read-only=true -ti ubuntu:14.10 touch /tmp/foo

touch: cannot touch '/tmp/foo': Read-only file system

How is this supposed to work? There is little to no information on how this
feature works. Can you give me a pointer?

In addition, restart:on-failure appears to have issues if docker itself
crashes.

~~~
kentonv
Once inside the container, you need to mount a tmpfs at /tmp, and another one
at /run (which /var/run usually links to).

E.g.:

    
    
        mount -t tmpfs -o size=256M tmpfs /tmp
    

(I'm not sure if/how you can make Docker do this automatically. I'd imagine
there's a flag or something.)

~~~
doomrobo
You could use the CMD keyword in the Dockerfile to ensure that that's run
every time the container is started

------
bkeroack
This document says essentially nothing of significance--it is a marketing
piece. There are no details of exactly how resilient a containerized process
is to attack, how to prevent "escaping", etc. The general consensus (if I'm
not mistaken) is that containers are for deployment/operational convenience
and should not be relied upon for security, but you would have no idea if you
only read this so-called whitepaper.

------
zobzu
Them registration links :(

~~~
markbnj
I'm with you. See a link to a white paper on Docker security. Oh boy! Click on
link. See registration form. Bummer.

~~~
yarrel
I just downloaded the whitepaper without registering.

Maybe they stopped requiring it?

Discouraging people from following security best practice would be counter-
productive.

~~~
oskarpearson
It seems they have stopped requiring registration. Clicking on the
"Introduction to Container Security" page takes you straight to cloudfront.

------
ams6110
Why do I need to take any action to securely deply Docker containers? Why
aren't they secure by default. What I should need to study is how to run them
insecurely, should I have that need. Secure should be the default mode.

~~~
kentonv
Docker aims to run arbitrary off-the-shelf Linux apps (and even entire
distros) with no modification. Such apps are largely authored to work in
traditional environments where security is fairly ad hoc and requires fiddly
user configuration. Although in many cases it would not be hard to adapt them
to a uniform security model, any such requirement would mean that Docker would
only support apps that have been "ported" to that model, which would make it a
very different kind of platform not suited for the same use cases.

For an example of the opposite approach, look at Sandstorm.io. It forces apps
to conform to a strict platform-defined security model where things are
isolated "by default" and from there the user can use friendly UI to grant
permissions as necessary. This means that currently there are only some 30
apps available on Sandstorm but they are (or will be, when Sandstorm reaches
1.0) "secure by default", or at least much more so than other platforms could
claim.

(Disclosure: I'm the lead developer of Sandstorm.)

