Andreas/docker-cheat-sheet
1
0
Fork 0
mirror of https://github.com/wsargent/docker-cheat-sheet.git synced 2025-09-22 05:40:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add link to understanding and hardening containers

Browse source
This commit is contained in:
Will Sargent 2016-05-17 09:54:14 -07:00
parent 506cc94899
commit d5b27bfe44
1 changed files with 8 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -383,9 +383,14 @@ This is where general Docker best practices and war stories go:
## Security
This is where security tips about Docker go. The [security](https://docs.docker.com/engine/articles/security/) page goes into more detail.
This is where security tips about Docker go. The Docker [security](https://docs.docker.com/engine/articles/security/) page goes into more detail.
First things first: Docker runs as root. If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host). If you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html). Docker should not be your only defense.
First things first: Docker runs as root. If you are in the `docker` group, you effectively [have root access](http://reventlov.com/advisories/using-the-docker-command-to-root-the-host). If you expose the docker unix socket to a container, you are giving the container [root access to the host](https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html).
Docker should not be your only defense. You should secure and harden it.
For an understanding of what containers leave exposed, you should read is [Understanding and Hardening Linux Containers](https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-10pdf) by [Aaron Grattafiori](https://twitter.com/dyn___). This is a complete and comprehensive guide to the issues involved with containers, with a plethora of links and footnotes leading on to yet more useful content. The security tips following are useful if you've already hardened containers in the past, but are not a substitute for understanding.
### Security Tips
@ -461,6 +466,7 @@ To enable user namespaces ("remap the userns") in Ubuntu 15.10, [follow the blog
* [Using Docker Safely](https://youtu.be/04LOuMgNj9U)
* [Securing your applications using Docker](https://youtu.be/KmxOXmPhZbk)
* [Container security: Do containers actually contain?](https://youtu.be/a9lE9Urr6AQ)
* [Linux Containers: Future or Fantasy?](https://www.youtube.com/watch?v=iN6QbszB1R8)
### Security Roadmap