Docker Security

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Docker Security

"It works on my computer." - A statement that is becoming less important with the advent and introduction of containerisation. This is one of the main reasons for the massive upswing in container technologies

1. Virtualization Techniques

  • Container-Based: Efficient, lightweight solutions using OS isolation.
  • Hypervisor-Based: Strong isolation with VMs, but more resource-intensive.

2. Docker Overview

  • Client-Server Model
    • Docker daemon (dockerd): Manages containers, images, networks.
    • Docker client (docker run/pull): User interface for Docker.
    • Docker registries (docker push/pull): Repositories for Docker images.

3. Docker Commands & Security Implications

  • User Group Modification: sudo usermod -aG docker [user]
    • Grants Docker group access.
  • Mounting Host Filesystem: docker run -v /:/privesc -it [image] /bin/bash
    • Poses a security risk.
  • Altering Sudoers: echo “[user] ALL=(ALL) NOPASSWD: ALL” >> /privesc/etc/sudoers
    • Affects host’s security.

4. Security Threats and Practices

  • Basic Commands for Monitoring and Cleanup:
    • List all containers: docker ps -a
    • Inspect a container: docker inspect [id]
    • Remove a container: docker rm [id]
  • Prevention Techniques:
    • Run as non-root: docker run --name [app] -u [user]
    • Read-only volumes: docker run -v /:/privesc:ro -it debian /bin/bash
    • Limit resources: docker run --cpus=0.5 --memory=128m
    • Network segregation: docker network create, docker network rm
    • Secure Dockerfile practices: Audit with grep.
    • Image inspection: docker image inspect, docker image history


  • Bui, Thanh. “Analysis of Docker Security.” ArXiv, 2015. Link
  • Polop, Carlos. “Docker Breakout/Privilege Escalation.” Link. Accessed 19-10-2023.
  • Docker Inc. “Docker Overview | Docker Docs.” Link. Accessed 7-09-2023.
  • Segura, Thomas. “Docker Security Best Practices.” Link. Accessed 3-10-2023.