Running docker securely

I understand that the docker daemon requires to runs as root so I’m told this can cause some security implications such as if the container were compromised, attackers can make changes to the host’s system files.

What precautions can I take to mitigate damage in the case of an attack?

  • Elastic Beanstalk Docker with Amazon CloudWatch
  • Why i've got “550 Cannot establish SSL session” error when i sending mail from codeIgniter framework with server mail?
  • Referencing services with Docker Compose
  • DockerFile / Switch from ubuntu:latest to alpine:3.3
  • Docker docker-compose not picking up relevant cached image
  • how does docker treat child process when we send stop to pid 1
  • Is there a practice that I should be aware when running the docker daemon? I’ve thought about having a vagrant to up a vm and have docker run in the vm instead.

  • How to write and persist data in a VOLUME of an image FROM which my Dockerfile is based?
  • Docker containers experiencing socket issue (separate Flask + Nginx containers)
  • No output when running spark NetworkWordCount example
  • Cannot stop or restart a docker container
  • Where is the rootfs of container in host machine after docker 1.6.0
  • How to connect with JMX from host to Docker container in Docker machine?
  • One Solution collect form web for “Running docker securely”

    The main source of information regarding docker security practice is the page on “Docker security“.

    only trusted users should be allowed to control your Docker daemon.
    This is a direct consequence of some powerful Docker features.

    Specifically, Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container.

    If you expose the REST API, you should do so over https.

    Finally, if you run Docker on a server, it is recommended to run exclusively Docker in the server, and move all other services within containers controlled by Docker

    Regarding the VM, see “Are Docker containers really secure?”

    The biggest problem is everything in Linux is not namespaced. Currently, Docker uses five namespaces to alter processes view of the system: Process, Network, Mount, Hostname, Shared Memory.

    While these give the user some level of security it is by no means comprehensive, like KVM (Kernel-based Virtual Machine).
    In a KVM environment processes in a virtual machine do not talk to the host kernel directly. They do not have any access to kernel file systems like /sys and /sys/fs, /proc/*.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.