Andreas/docker-cheat-sheet
1
0
Fork 0
mirror of https://github.com/wsargent/docker-cheat-sheet.git synced 2025-12-16 15:10:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #64 from wsargent/update-security-section

Browse source 
Update security section
This commit is contained in:
Will Sargent 2016-01-12 10:50:23 -08:00
commit 41ef49555b
1 changed files with 17 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

20
README.md
View file

@ -346,11 +346,13 @@ This is where general Docker best practices and war stories go:
## Security
This is where security tips about Docker go.
This is where security tips about Docker go. The [security](https://docs.docker.com/engine/articles/security/) page goes into more detail.
If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host).
First things first: Docker runs as root. If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host). If you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html). Docker should not be your only defense.
Likewise, if you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html).
### Security Tips
For greatest security, you want to run Docker inside a virtual machine, on on a host. This is straight from the Docker Security Team Lead -- [slides](http://www.slideshare.net/jpetazzo/linux-containers-lxc-docker-and-security) / [notes](http://www.projectatomic.io/blog/2014/08/is-it-safe-a-look-at-docker-and-security-from-linuxcon/). Then, run with AppArmor / seccomp / SELinux / grsec etc to [limit the container permissions](http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/).
Docker image ids are [sensitive information](https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4) and should not be exposed to the outside world. Treat them like passwords.
@ -358,6 +360,7 @@ See the [Docker Security Cheat Sheet](https://github.com/konstruktoid/Docker/blo
From the [Docker Security Cheat Sheet](http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf) (it's in PDF which makes it hard to use, so copying below) by [Container Solutions](http://container-solutions.com/is-docker-safe-for-production/):
Turn off interprocess communication with:
```
@ -395,6 +398,17 @@ RUN groupadd -r user && useradd -r -g user user
USER user
```
### Security Videos
* [Using Docker Safely](https://youtu.be/04LOuMgNj9U)
* [Securing your application using Docker](https://youtu.be/KmxOXmPhZbk)
* [Securing your applications using Docker](https://youtu.be/KmxOXmPhZbk)
* [Container security: Do containers actually contain?](https://youtu.be/a9lE9Urr6AQ)
### Security Roadmap
The Docker roadmap talks about [seccomp support](https://github.com/docker/docker/blob/master/ROADMAP.md#11-security).
There is an AppArmor policy generator called [bane](https://github.com/jfrazelle/bane), and they're working on [security profiles](https://github.com/docker/docker/issues/17142). There's also work on [user namespaces](https://s3hh.wordpress.com/2013/07/19/creating-and-using-containers-without-privilege/).
## Tips