Security

5 tips for securing your Docker containers

Once you start making use of Docker, you'll want to consider the security of your server and containers. Her are five tips to help you gain a bit more security with your containers.

dockersechero.jpg
Image: Jack Wallen

We've reached the point where businesses almost cannot avoid containers. They make deploying servers and services significantly easier and more efficient. One of the most widely used tools for deploying containers is Docker.

Sometimes efficiency is not enough. Not in this world of constant data theft and security breaches. Even with the incredible technology offered by Docker, you still have to keep a keen eye on security. With that in mind, let's take a look at five things you can do to ensure your Docker experience is a bit more secure.

1. Choose third-party containers carefully

With Docker, you can pull down containers from public repositories. This means you are placing your trust in whoever created the container. But how do you know that container was created securely? Even worse, how do you know that container doesn't contain malicious or corrupt files? You don't. Because of this, you might want to consider using the Docker Hub paid plan. This paid service is one way to ensure the repositories you use have been scanned.

Say, for instance, you want to deploy a Wordpress container. If you issue the command sudo docker search WordPress, you'll see an entry for WordPress followed by a number of entries like Bitnami/WordPress. The first entry is the official image, and will be listed as such (Figure A).

Figure A

Figure A

The official Wordpress image is clearly marked.

2. Enable Docker Content Trust

If you're still not sure about third-party images, there's something you can do to help avoid possible issues. As of Docker 1.8 a new security feature was implemented called Docker Content Trust. This feature allows you to verify the authenticity, integrity, and publication date of all Docker images available on the Docker Hub Registry. Thing is, Content Trust isn't enabled by default. Once enabled, Docker will be unable to pull down images that have not been signed.

To enable this feature, issue the command sudo export DOCKER_CONTENT_TRUST=1. Now when you attempt to pull down an image that isn't signed, Docker will inform you (Figure B).

Figure B

Figure B

A WordPress image without sufficient trust data cannot be pulled.

3. Set resource limits for your containers

What happens when a container goes awry and begins to consumer all of your host's resources? This is certainly not a recipe for success and security. You can actually set resource limits for your individual containers right from the run command. For example, say you want to limit a container to 1GB of memory, you can add the —memory="1000M" option to the run command. You can also limit the number of CPUs with the addition of the —cpus=X (Where X is the number of CPUs you want available to your container).

4. Consider a third-party security tool

There are a few purpose-built security tools for Docker. For instance, there's Twistlock, a Docker security solution that including seamless CI integration, extensive API support, and dev-to-production security controls. There are two different versions of Twistlock:

  • Free - 10 repositories, 2 hosts, community support, manual policy creation, open source CVE feeds for vulnerability management.
  • Enterprise - Unlimited repositories/images/hosts, 24/7/365 support, automated policy creation, 30+ vendor, industry, and proprietary feeds for vulnerability management.

5. Use Docker Bench Security

There's a very handy script you can run against your Docker server that will check:

  • Host Configuration
  • Docker Daemon Configuration
  • Docker Daemon Configuration Files
  • Container Images and Build Files
  • Container Runtime

Docker Bench Security should be considered a must-use script. Here's how you use it:

  1. Open up a terminal window on your Docker server
  2. Download the script with the command git clone https://github.com/docker/docker-bench-security.gi...
  3. Change into the newly created directory with the command cd docker-bench-security
  4. Run the script with the command sudo sh docker-bench-security.sh

You will see quite a lot of information pass by as the script checks itself against Docker. The script will report Info, Warning, and Pass notes for every check (Figure C). From that information, you can act accordingly to further secure your Docker server and containers.

Figure C

Figure C

The output of the Docker Bench Security script.

Keep thinking "security"

Docker is an amazing technology that can do quite a bit for your business. You will want to take these tips into consideration as well as give the official Docker Security documentation a thorough read. As containers continue to grow in popularity, it will behoove you to keep thinking "security" as you further containerize your servers and services.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox