
Show HN: Security and Docker: tips and tricks - made2591
https://made2591.github.io/posts/docker-security
======
nisa
There is Docker Bench for security that helps you get a quick overview for
your system: [https://github.com/docker/docker-bench-
security](https://github.com/docker/docker-bench-security)

If you compare with LXD security on Docker is just sad...

Have fun hitting strange bugs: multi-stage builds break when you use user-
namespaces:
[https://github.com/moby/moby/issues/34645](https://github.com/moby/moby/issues/34645)

Using USER has some interesting side effects like no more access to
/dev/stdout and /dev/stderr

Using apparmor profiles does not do what you think it would do (i.e.
disallowing access outside of image-fs) it's rather a few rules to prevent
access to certain /proc things.

But you can do this:
[https://docs.docker.com/engine/security/apparmor/](https://docs.docker.com/engine/security/apparmor/)

------
alexk
I enjoyed reading your blog post and the points you've mentioned are really
important, for example suid bit is something that is not obvious at all.

If you'll ever get to writing similar guide for Kubernetes, ping me and I'd be
happy to make it a guest blog post at gravitational.com

~~~
made2591
Yes! A friend of mine also noticed that I forgot to speak about —userns! I
should fix it in the next days hopefully

------
theamk
Consider updating color schema, the gray code is unreadable on ipad

~~~
made2591
Yes, I have a plan to do it ASAP - you’re definetly right :/

------
swimmadude66
How does your site have no scrollbar? I know its a small thing, but it looks
so clean...

------
geezerjay
Great stuff. Kudos for the content.

~~~
made2591
Thank you very much!

