Andreas/docker-cheat-sheet
1
0
Fork 0
mirror of https://github.com/wsargent/docker-cheat-sheet.git synced 2025-12-18 08:00:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add a security section

Browse source
This commit is contained in:
Will Sargent 2015-10-02 12:26:49 -07:00
parent 47209a7988
commit 43291a45a1
1 changed files with 9 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

11
README.md
View file

@ -14,6 +14,7 @@ NOTE: This used to be a gist that continually expanded. It's now a github proje
* [Volumes](#volumes) * [Volumes](#volumes)
* [Exposing Ports](#exposing-ports) * [Exposing Ports](#exposing-ports)
* [Best Practices](#best-practices) * [Best Practices](#best-practices)
* [Security](#security)
* [Tips](#tips) * [Tips](#tips)
## Why ## Why
@ -151,8 +152,6 @@ Images are just [templates for docker containers](https://docs.docker.com/introd
* [`docker history`](https://docs.docker.com/reference/commandline/history) shows history of image. * [`docker history`](https://docs.docker.com/reference/commandline/history) shows history of image.
* [`docker tag`](https://docs.docker.com/reference/commandline/tag) tags an image to a name (local or registry). * [`docker tag`](https://docs.docker.com/reference/commandline/tag) tags an image to a name (local or registry).
Docker image ids are [sensitive information](https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4) and should not be exposed to the outside world. Treat them like passwords.
## Registry & Repository ## Registry & Repository
A repository is a *hosted* collection of tagged images that together create the file system for a container. A repository is a *hosted* collection of tagged images that together create the file system for a container.
@ -215,6 +214,14 @@ This is where general Docker best practices and war stories go:
* [Building a Development Environment With Docker](http://tersesystems.com/2013/11/20/building-a-development-environment-with-docker/) * [Building a Development Environment With Docker](http://tersesystems.com/2013/11/20/building-a-development-environment-with-docker/)
* [Discourse in a Docker Container](http://samsaffron.com/archive/2013/11/07/discourse-in-a-docker-container) * [Discourse in a Docker Container](http://samsaffron.com/archive/2013/11/07/discourse-in-a-docker-container)
## Security
If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host).
Likewise, if you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html).
Docker image ids are [sensitive information](https://medium.com/@quayio/your-docker-image-ids-are-secrets-and-its-time-you-treated-them-that-way-f55e9f14c1a4) and should not be exposed to the outside world. Treat them like passwords.
## Layers ## Layers
The versioned filesystem in Docker is based on layers. They're like [git commits or changesets for filesystems](https://docs.docker.com/terms/layer/). The versioned filesystem in Docker is based on layers. They're like [git commits or changesets for filesystems](https://docs.docker.com/terms/layer/).