Related Reads
Docker container is an open source project (Apache License 2.0). Containers allow developers to package up their applications without worrying about libraries and dependencies, a headache, allowing them to ship their applications among any system running Linux operating system.You can look at them like Virtual machines but without the need for creating a whole virtual operating system.
Docker comes with security measures. It is secure by default (as it seems) but to use your docker safely, you need to be aware of many threats.
Setuid and setgid bins can be exploited by attackers.So you need to disable the SETUID rights by adding this lines to the Dockerfile:
FROM debian:Xenial
RUN find / -perm +6000 -type f -exec chmod a-s {} ;
|| true
To avoid a denial of service attempts while docker is using kernel resources you need to make sure that containers are belonging to many users and different VMs and by modifying the container CPU share (1024 by default) Â in addition of limiting the maximum memory consumed by every container.
$ docker run -d -c 512 Â someimage
$ docker run -m 512m   someimage
Don’t forget to turn off the INTER-CONTAINER COMMUNICATION because by default it is enabled.
$ docker -d –icc=false –iptables
To defend against poisoned Images(for example Injected images) you need to verify them.Because you need to make sure that the images are trusted and signed.
$ docker pull someimage@sha256:a25306f3850e1bd44541976aa7b5fd0a29be (succeed if the image is signed)
To enable content trust in a bash shell
export DOCKER_CONTENT_TRUST=1
To prevent attackers from taking control and gaining access you need to follow this steps:
-Make the filesystem Read-Only by setting CONTAINER FILE SYSTEM TO READ-ONLY:
$ docker run –read-only debian touch x
– Don’t run Docker as root and set  a User:
RUN groupadd -r user && useradd -r -g user user
USER user
– Don’t use environment variables to share secrets and don’t run containers  with the –privileged FLAG
Â
Did You Know?
Cybrary has tons of FREE training resources!
For lifetime access simply CREATE A FREE ACCOUNT.
Already a member? login here.
We recommend always using caution when following any link
Are you sure you want to continue?
You might be aware about that interesting document about hardening Docker :
https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf
Good to know! THX Bro!
Really helpful! Thanks