Docker best practices for security

Question

Most of the Dockerfile you will find on Internet build and run softwares as root ! This must scare everybody, right ? ... but it doesn't seems to be the case ...

So the pb is that running a server as root, even in a container, IS DANGEROUS, because root inside a container is quite the same as root outside the container.

One of the solution is to build a Dockerfile properly by using "USER" instruction like this example for a tor relay.

Another solution is to use the "linux user namespaces" to "map" UID/GID inside container to UID/GID outside a container. for exemple root (uid=0) inside a container can be mapped to your personal user account inside the host, so files created in a shared volume has good permissions.

So my question is :what is the best practice when it comes to security with Docker ? run code as non root (i.e. USER instruction in a Dockerfile) ? Or by using "user namespaces" ? Or eventually (or additionnally) by using selinux and/or AppArmor ?

Thanks :)

Answer 1

Quoting Solomon Hykes

Hi all, I'm a maintainer of Docker. As others already indicated this doesn't work on 1.0. But it could have.

Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application.

So as far as best practices go yes to the namespaces and apparmor or selinux, if you are serious about security. That being said a lot of people don't care enough to go to the extra trouble (For better or worse) so you see a lot of people don't go to the trouble. Setting permissions for users on files inside the container (specially ones mounted as volumes) gets tricky sometimes and that is way a lot of people skip the extra overhead.

Answer 2

In additional to SELinux, Apparmour, GRSEC, cgroups provides an additional benefit of isolating and limiting the container resource usage, if configured with care, this helps in preventing one compromised container in affecting the another container. Refer

Answer 3

Best practice is to follow all the three options mentioned at the end of the question together, according to CIS security benchmarks:

1. Non-root user inside container (Section 4.1)
2. Enable user namespaces (Section 2.8)
3. Enable MAC i.e. SELinux or AppArmor in enforcing mode (Section 5.2)

References: https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf