Docker Security
Jump to navigation
Jump to search
Docker Security
"It works on my computer." - A statement that is becoming less important with the advent and introduction of containerisation. This is one of the main reasons for the massive upswing in container technologies
1. Virtualization Techniques
- Container-Based: Efficient, lightweight solutions using OS isolation.
- Hypervisor-Based: Strong isolation with VMs, but more resource-intensive.
2. Docker Overview
- Client-Server Model
- Docker daemon (
dockerd
): Manages containers, images, networks. - Docker client (
docker run/pull
): User interface for Docker. - Docker registries (
docker push/pull
): Repositories for Docker images.
- Docker daemon (
3. Docker Commands & Security Implications
- User Group Modification:
sudo usermod -aG docker [user]
- Grants Docker group access.
- Mounting Host Filesystem:
docker run -v /:/privesc -it [image] /bin/bash
- Poses a security risk.
- Altering Sudoers:
echo “[user] ALL=(ALL) NOPASSWD: ALL” >> /privesc/etc/sudoers
- Affects host’s security.
4. Security Threats and Practices
- Basic Commands for Monitoring and Cleanup:
- List all containers:
docker ps -a
- Inspect a container:
docker inspect [id]
- Remove a container:
docker rm [id]
- List all containers:
- Prevention Techniques:
- Run as non-root:
docker run --name [app] -u [user]
- Read-only volumes:
docker run -v /:/privesc:ro -it debian /bin/bash
- Limit resources:
docker run --cpus=0.5 --memory=128m
- Network segregation:
docker network create, docker network rm
- Secure Dockerfile practices: Audit with
grep
. - Image inspection:
docker image inspect
,docker image history
- Run as non-root: