Once you start making use of Docker, you'll want to consider the security of your server and containers. Her are five tips to help you gain a bit more security with your containers.
We've reached the point where businesses almost cannot avoid containers. They make deploying servers and services significantly easier and more efficient. One of the most widely used tools for deploying containers is Docker.
Sometimes efficiency is not enough. Not in this world of constant data theft and security breaches. Even with the incredible technology offered by Docker, you still have to keep a keen eye on security. With that in mind, let's take a look at five things you can do to ensure your Docker experience is a bit more secure.
1. Choose third-party containers carefully
With Docker, you can pull down containers from public repositories. This means you are placing your trust in whoever created the container. But how do you know that container was created securely? Even worse, how do you know that container doesn't contain malicious or corrupt files? You don't. Because of this, you might want to consider using the Docker Hub paid plan. This paid service is one way to ensure the repositories you use have been scanned.
Say, for instance, you want to deploy a Wordpress container. If you issue the command sudo docker search WordPress, you'll see an entry for WordPress followed by a number of entries like Bitnami/WordPress. The first entry is the official image, and will be listed as such (Figure A).
2. Enable Docker Content Trust
If you're still not sure about third-party images, there's something you can do to help avoid possible issues. As of Docker 1.8 a new security feature was implemented called Docker Content Trust. This feature allows you to verify the authenticity, integrity, and publication date of all Docker images available on the Docker Hub Registry. Thing is, Content Trust isn't enabled by default. Once enabled, Docker will be unable to pull down images that have not been signed.
To enable this feature, issue the command sudo export DOCKER_CONTENT_TRUST=1. Now when you attempt to pull down an image that isn't signed, Docker will inform you (Figure B).
3. Set resource limits for your containers
What happens when a container goes awry and begins to consumer all of your host's resources? This is certainly not a recipe for success and security. You can actually set resource limits for your individual containers right from the run command. For example, say you want to limit a container to 1GB of memory, you can add the --memory="1000M" option to the run command. You can also limit the number of CPUs with the addition of the --cpus=X (Where X is the number of CPUs you want available to your container).
4. Consider a third-party security tool
There are a few purpose-built security tools for Docker. For instance, there's Twistlock, a Docker security solution that including seamless CI integration, extensive API support, and dev-to-production security controls. There are two different versions of Twistlock:
- Free - 10 repositories, 2 hosts, community support, manual policy creation, open source CVE feeds for vulnerability management.
- Enterprise - Unlimited repositories/images/hosts, 24/7/365 support, automated policy creation, 30+ vendor, industry, and proprietary feeds for vulnerability management.
5. Use Docker Bench Security
There's a very handy script you can run against your Docker server that will check:
- Host Configuration
- Docker Daemon Configuration
- Docker Daemon Configuration Files
- Container Images and Build Files
- Container Runtime
Docker Bench Security should be considered a must-use script. Here's how you use it:
- Open up a terminal window on your Docker server
- Download the script with the command git clone https://github.com/docker/docker-bench-security.gi...
- Change into the newly created directory with the command cd docker-bench-security
- Run the script with the command sudo sh docker-bench-security.sh
You will see quite a lot of information pass by as the script checks itself against Docker. The script will report Info, Warning, and Pass notes for every check (Figure C). From that information, you can act accordingly to further secure your Docker server and containers.
Keep thinking "security"
Docker is an amazing technology that can do quite a bit for your business. You will want to take these tips into consideration as well as give the official Docker Security documentation a thorough read. As containers continue to grow in popularity, it will behoove you to keep thinking "security" as you further containerize your servers and services.
- Docker: The smart person's guide (TechRepublic)
- 6 quick Docker tips to make managing your containers easier (TechRepublic)
- How to install WordPress with Docker (TechRepublic)
- How to install and use Portainer for easy Docker container management (TechRepublic)
- MapR gets container religion with Platform for Docker (ZDNet)