Securing your Docker Containers : Hands-on
Docker Basics
How to get a Docker image to run/create containers? We will use CentOS as an example here.
So with this CentOS image, I am going to run a Docker Container.
We can confirm that the container is running -
To access the container -
Next we pull alpine to run on the container using the same steps as above.
We can see two containers running — with images CentOS and Alpine
You can check all the images that you can pull from Docker hub —
Dockerfile
Before moving onto Container Security, it is important to know the concept of a DockerFile.
So a DockerFile is a text document that can be used by anyone to create a Docker image of their own.
Let us create our own Dockerfile. First we create the file and edit it further.
Make sure to name the file — “Dockerfile”.
Now we build the docker image using the Dockerfile we just created. Command- docker build -t imageName:tagName "location of Dockerfile"
Useful Docker Cheatsheet : https://github.com/wsargent/docker-cheat-sheet
Container Security….. FINALLY!!
Now moving onto practicals of Container Security!
i. Running container as non-root
So, the first security practice I’ll demonstrate is the practice of running Docker containers as non-root users.
The Dockerfile needs to be edited for this-
So now we can run the image using the non-root user “noob”-
To completely block a user to switch to root, just add this into the Dockerfile- RUN chsh -s /usr/sbin/nologin root
Just build the docker image again and run and you’re good to go.
ii. Manipulating capabilities for a user
But we may need to run some system services and running a non root user with no capabilities doesn’t make any sense.
In this case, we can add or drop capabilities and run the image-
iii. Toggling read-only
Next, I will demonstrate on how to restrict access to the file system. The way to do this is make it a read-only file system when running docker.
Now, if one wants to make a certain directory writable and everything else read-only-
iv. Docker-Bench
Some best-practices for docker security- https://github.com/docker/docker-bench-security
Let me demonstrate this tool. Its basically a script that checks for dozens of common best-practices around deploying Docker containers in production.
To run docker-bench : git clone https://github.com/docker/docker-bench-security.git -> cd docker-bench-security -> sudo sh docker-bench-security.sh .
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh
Note that WARN should be considered similarly to critical vulnerabilities in any other vulnerability assessment tooling. Equally, the INFO statements may be applicable dependent upon your environment, so do not ignore these.
It also gives me a score on how secure my docker container is and can be used to improve security on our docker host.
v. Auditing using Chef InSpec
Chef InSpec is a open-source framework for testing and auditing applications and infrastructures. To install it-
curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
git clone https://github.com/dev-sec/cis-docker-benchmark.git
inspec exec cis-docker-benchmark
At the end, it gives me a summary of the audit it performed
This can be particularly useful when we want to remediate violations in our containers.
Some Resources for Docker Security :
