{"id":2054,"date":"2019-11-07T06:48:34","date_gmt":"2019-11-07T06:48:34","guid":{"rendered":"http:\/\/kusuaks7\/?p=1659"},"modified":"2024-03-04T12:53:24","modified_gmt":"2024-03-04T12:53:24","slug":"top-20-docker-security-tips","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/top-20-docker-security-tips\/","title":{"rendered":"Top 20 Docker Security Tips"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2054\" class=\"elementor elementor-2054\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-51080b72 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"51080b72\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-3774bf40\" data-id=\"3774bf40\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-7273b9d elementor-widget elementor-widget-heading\" data-id=\"7273b9d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\"><h3 style=\"color: #aaa;font-style: italic\">AIMing for safety!<\/h3><\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6be0062 elementor-widget elementor-widget-text-editor\" data-id=\"6be0062\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\tThis article is full of tips to help you use Docker safely. If you\u2019re new to Docker I suggest you first check out my previous articles on Docker <a href=\"https:\/\/www.experfy.com\/blog\/learn-enough-docker-to-be-useful-part1-the-conceptual-landscape\">concepts<\/a>, the Docker <a href=\"https:\/\/www.experfy.com\/blog\/learn-enough-docker-to-be-useful-part-2-a-delicious-dozen-docker-terms-you-need-to-know\">ecosystems<\/a>, <a href=\"https:\/\/www.experfy.com\/blog\/learn-enough-docker-to-be-useful-part-3-a-dozen-dandy-dockerfile-instructions\">Dockerfiles<\/a>, <a href=\"https:\/\/www.experfy.com\/blog\/slimming-down-your-docker-images-part-4-of-learn-enough-docker-to-be-useful\">slimming down images<\/a>, <a href=\"https:\/\/www.experfy.com\/blog\/learn-enough-docker-to-be-useful-part-3-a-dozen-dandy-dockerfile-instructions\">popular commands<\/a>, and <a href=\"file:\/\/\/C:UsersRamDropboxExperfyBlogsBlogs%20uploadedJeff%20HaleJeff%20Hale%20-%20Docker%20articlesPublished\">data in Docker<\/a>.\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96e7691 elementor-widget elementor-widget-text-editor\" data-id=\"96e7691\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"0cb9\" data-selectable-paragraph=\"\">How concerned do you need to be about security in Docker? It depends. Docker comes with sensible security features baked in. If you are using official Docker images and not communicating with other machines, you don\u2019t have much to worry about.<\/p> \t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-251a11d elementor-widget elementor-widget-text-editor\" data-id=\"251a11d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"5975\" data-selectable-paragraph=\"\">However, if you\u2019re using unofficial images, serving files, or running apps in production, then the story is different. In those cases you need to be considerably more knowledgeable about Docker security.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1bc990f elementor-widget elementor-widget-image\" data-id=\"1bc990f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*kOT_4Wj5lx6UR0UO3oO3pw.png\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bea63cd elementor-widget elementor-widget-text-editor\" data-id=\"bea63cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Looks safe<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-07c0005 elementor-widget elementor-widget-text-editor\" data-id=\"07c0005\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"b4a8\" data-selectable-paragraph=\"\">Your primary security goal is to prevent a malicious user from gaining valuable information or wreaking havoc. Toward that end, I\u2019ll share Docker security best practices in several key areas. By the end of this article you\u2019ll have seen over 20 Docker security tips!<\/p>\n<p id=\"75e7\" data-selectable-paragraph=\"\">We\u2019ll focus on three areas in the first section:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d0d614d elementor-widget elementor-widget-text-editor\" data-id=\"d0d614d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul>\n \t<li id=\"8a4d\" data-selectable-paragraph=\"\"><strong>A<\/strong>ccess management<\/li>\n \t<li id=\"0349\" data-selectable-paragraph=\"\"><strong>I<\/strong>mage safety<\/li>\n \t<li id=\"ba68\" data-selectable-paragraph=\"\"><strong>M<\/strong>anagement of secrets<\/li>\n<\/ul>\n<p id=\"df1b\" data-selectable-paragraph=\"\">Think of the acronym\u00a0<strong>AIM<\/strong>\u00a0to help you remember them.<\/p>\n<p id=\"7adc\" data-selectable-paragraph=\"\">First, let\u2019s look at limiting a container\u2019s access.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8fc1494 elementor-widget elementor-widget-heading\" data-id=\"8fc1494\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"767a\" data-selectable-paragraph=\"\">Access Management \u2014 Limit Privileges<\/h1>\n<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ddcfa88 elementor-widget elementor-widget-text-editor\" data-id=\"ddcfa88\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"3744\" data-selectable-paragraph=\"\">When you start a container, Docker creates a group of namespaces. Namespaces prevent processes in a container from seeing or affecting processes in the host, including other containers. Namespaces are a primary way Docker cordons off one container from another.<\/p>\n<p id=\"d807\" data-selectable-paragraph=\"\">Docker provides private container networking, too. This prevents a container from gaining privileged access to the network interfaces of other containers on the same host.<\/p>\n<p id=\"c982\" data-selectable-paragraph=\"\">So a Docker environment comes somewhat isolated, but it might not be isolated enough for your use case.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-38e0887 elementor-widget elementor-widget-image\" data-id=\"38e0887\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*sdxIs0ExwFil2G2XaVMsdw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c32a6f0 elementor-widget elementor-widget-text-editor\" data-id=\"c32a6f0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Does not look safe<\/span><\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8088934 elementor-widget elementor-widget-text-editor\" data-id=\"8088934\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"f31b\" data-selectable-paragraph=\"\">Good security means following the\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Principle_of_least_privilege\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">principle of least privilege<\/a>. Your container should have the abilities to do what it needs, but no more abilities beyond those. The tricky thing is that once you start limiting what processes can be run in a container, the container might not be able to do something it legitimately needs to do.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7e92167 elementor-widget elementor-widget-text-editor\" data-id=\"7e92167\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"3a0f\" data-selectable-paragraph=\"\">There are several ways to adjust a container\u2019s privileges. First, avoid running as root (or re-map if must run as root). Second, adjust capabilities with\u00a0<code>--cap-drop<\/code>\u00a0and\u00a0<code>--cap-add<\/code>.<\/p>\n<p id=\"fe46\" data-selectable-paragraph=\"\">Avoiding root and adjusting capabilities should be all most folks need to do to restrict privileges. More advanced users might want to adjust the default AppArmor and seccomp profiles. I discuss these in my forthcoming book about Docker, but have excluded them here to keep this article from ballooning.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f5a504a elementor-widget elementor-widget-heading\" data-id=\"f5a504a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2 id=\"641a\" data-selectable-paragraph=\"\">Avoid running as root<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7723254 elementor-widget elementor-widget-text-editor\" data-id=\"7723254\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"32eb\" data-selectable-paragraph=\"\">Docker\u2019s default setting is for the user in an image to run as root. Many people don\u2019t realize how dangerous this is. It means it\u2019s far easier for an attacker to gain access to sensitive information and your kernel.<\/p>\n<p id=\"7f22\" data-selectable-paragraph=\"\">As a general best practice, don\u2019t let a container run as root.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3014d96 elementor-widget elementor-widget-image\" data-id=\"3014d96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*5088gV23KBQqYNYS8ttDtA.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9a9ea1a elementor-widget elementor-widget-text-editor\" data-id=\"9a9ea1a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Roots<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c6953f elementor-widget elementor-widget-text-editor\" data-id=\"4c6953f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"1950\" data-selectable-paragraph=\"\">\u201cThe best way to prevent privilege-escalation attacks from within a container is to configure your container\u2019s applications to run as unprivileged users.\u201d \u2014 the Docker\u00a0<a href=\"https:\/\/docs.docker.com\/engine\/security\/userns-remap\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docs<\/a>.<\/p>\n<p id=\"fa20\" data-selectable-paragraph=\"\">You can specify a userid other than root at build time like this:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7e32fb5 elementor-widget elementor-widget-text-editor\" data-id=\"7e32fb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"1a34\" data-selectable-paragraph=\"\"><code>docker run -u 1000 my_image<\/code><\/p>\n<p id=\"9e4c\" data-selectable-paragraph=\"\">The\u00a0<code>-- user<\/code>\u00a0or\u00a0<code>-u<\/code>\u00a0flag, can specify either a username or a userid. It&#8217;s fine if the userid doesn&#8217;t exist.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c69e55e elementor-widget elementor-widget-text-editor\" data-id=\"c69e55e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"d675\" data-selectable-paragraph=\"\">In the example above\u00a0<em>1000<\/em>\u00a0is is an arbitrary, unprivileged userid. In Linux, userids between 0 and 499 are generally reserved. Choose a userid over 500 to avoid running as a default system user.<\/p>\n<p id=\"2194\" data-selectable-paragraph=\"\">Rather than set the user from the command line, it\u2019s best to change the user from root in your image. Then folks don\u2019t have to remember to change it at build time. Just include the USER Dockerfile instruction in your image after Dockerfile instructions that require the capabilities that come with root.<\/p>\n<p id=\"5594\" data-selectable-paragraph=\"\">In other words, first install the packages you need and then switch the user. For example:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7861098 elementor-widget elementor-widget-text-editor\" data-id=\"7861098\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<pre>FROM alpine:latest\nRUN apk update &amp;&amp; apk add --no-cache git\nUSER 1000\n\u2026<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-04547f7 elementor-widget elementor-widget-text-editor\" data-id=\"04547f7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"0b60\" data-selectable-paragraph=\"\">If you must run a processes in the container as a root user, re-map the root to a less-privileged user on the Docker host. See the\u00a0<a href=\"https:\/\/docs.docker.com\/engine\/security\/userns-remap\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docker docs<\/a>.<\/p>\n<p id=\"aadd\" data-selectable-paragraph=\"\">You can grant the privileges the user needs by altering the capabilities.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5689d7f elementor-widget elementor-widget-heading\" data-id=\"5689d7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2 id=\"8c6c\" data-selectable-paragraph=\"\">Capabilities<\/h2>\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9a669fa elementor-widget elementor-widget-text-editor\" data-id=\"9a669fa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"dafc\" data-selectable-paragraph=\"\">Capabilities are bundles of allowed processes.<\/p>\n<p id=\"8cd5\" data-selectable-paragraph=\"\">Adjust capabilities through the command line with\u00a0<code>--cap-drop<\/code>\u00a0and\u00a0<code>--cap-add<\/code>. A best policy is to drop all a container&#8217;s privileges with\u00a0<code>--cap-drop all<\/code>\u00a0and add back the ones needed with\u00a0<code>--cap-add<\/code>.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-da28162 elementor-widget elementor-widget-image\" data-id=\"da28162\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*BJYdZujv_cmCMuRpwyuKDw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3c3fb53 elementor-widget elementor-widget-text-editor\" data-id=\"3c3fb53\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Stop or go<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9b03635 elementor-widget elementor-widget-text-editor\" data-id=\"9b03635\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"bde7\" data-selectable-paragraph=\"\">You can adjust a container\u2019s capabilities at runtime. For example, to drop the ability to use\u00a0<code>kill<\/code>\u00a0to stop a container, you can remove that default capability like this:<\/p>\n<p id=\"e6e9\" data-selectable-paragraph=\"\"><code>docker run --cap-drop=Kill my_image<\/code><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-62e8c98 elementor-widget elementor-widget-text-editor\" data-id=\"62e8c98\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"3029\" data-selectable-paragraph=\"\">Avoid giving SYS_ADMIN and SETUID privileges to processes, as they are give broad swaths of power. Adding this capabilities to a user is similar to giving root permissions (and avoiding that outcome is kind of the whole point of not using root).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ac32baa elementor-widget elementor-widget-text-editor\" data-id=\"ac32baa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"1c23\" data-selectable-paragraph=\"\">It\u2019s safer to not allow a container to use a port number between 1 and 1023 because most network services run in this range. An unauthorized user could listen in on things like logins and run unauthorized server applications. These lower numbered ports require running as root or being explicitly given the CAP_NET_BIND_SERVICE capability.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f28eba7 elementor-widget elementor-widget-text-editor\" data-id=\"f28eba7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"9711\" data-selectable-paragraph=\"\">To find out things like whether a container has privileged port access, you can use\u00a0<em>inspect<\/em>. Using\u00a0<code>docker container inspect my_container_name<\/code>\u00a0will show you lots of details about the allocated resources and security profile of your container.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-522c961 elementor-widget elementor-widget-text-editor\" data-id=\"522c961\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"38a8\" data-selectable-paragraph=\"\"><a href=\"https:\/\/docs.docker.com\/engine\/reference\/run\/#runtime-privilege-and-linux-capabilities\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Here\u2019s the Docker reference<\/a>\u00a0for more on privileges.<\/p>\n<p id=\"cb30\" data-selectable-paragraph=\"\">As with most things in Docker, it\u2019s better to configure containers in an automatic, self-documenting file. With Docker Compose you can specify capabilities in a service configuration like this:<\/p>\n<p id=\"01b3\" data-selectable-paragraph=\"\"><code>cap_drop: ALL<\/code><\/p>\n<p id=\"8338\" data-selectable-paragraph=\"\">Or you can adjust them in Kubernetes files as discussed\u00a0<a href=\"https:\/\/kubernetes.io\/docs\/tasks\/configure-pod-container\/security-context\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">here<\/a>.<\/p>\n<p id=\"9fad\" data-selectable-paragraph=\"\">The full list of Linux capabilities is\u00a0<a href=\"http:\/\/man7.org\/linux\/man-pages\/man7\/capabilities.7.html\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">here<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8f90705 elementor-widget elementor-widget-text-editor\" data-id=\"8f90705\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"4239\" data-selectable-paragraph=\"\">If you want more fine grained control over container privileges, check out my discussion of AppArmor and seccomp in my forthcoming book. Subscribe to\u00a0<a href=\"http:\/\/eepurl.com\/gjfLAz\" target=\"_blank\" rel=\"noopener nofollow noreferrer\" class=\"broken_link\">my email newsletter<\/a>\u00a0to be notified when it\u2019s available.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ff72430 elementor-widget elementor-widget-image\" data-id=\"ff72430\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*GkbiVqPQQgMmmvoTXxC6Lw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a6fd05a elementor-widget elementor-widget-text-editor\" data-id=\"a6fd05a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Closed road<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f26ea01 elementor-widget elementor-widget-heading\" data-id=\"f26ea01\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"7743\" data-selectable-paragraph=\"\">Access Management \u2014 Restrict Resources<\/h1><\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-661c3ea elementor-widget elementor-widget-text-editor\" data-id=\"661c3ea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"521f\" data-selectable-paragraph=\"\">It\u2019s a good idea to restrict a container\u2019s access to system resources such as memory and CPU. Without a resource limit, a container can use up all available memory. If that happens the Linux host kernel will throw an Out of Memory Exception and kill kernel processes. This can lead the whole system to crash. You can imagine how attackers could use this knowledge to try to bring down apps.<\/p>\n<p id=\"ebb7\" data-selectable-paragraph=\"\">If you have multiple containers running on the same machine it\u2019s smart to limit the memory and CPU any one container can use. If your container runs out of memory, then it shut downs. Shutting down your container can cause your app to crash, which isn\u2019t fun. However, this isolation protects the host from running out of memory and all the containers on it from crashing. And that\u2019s a good thing.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-dc0d97c elementor-widget elementor-widget-image\" data-id=\"dc0d97c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*Odgf25AAaLqi-KXUyfHMSw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a5c7912 elementor-widget elementor-widget-text-editor\" data-id=\"a5c7912\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Wind resource<\/span><\/p>\n<p id=\"f364\" data-selectable-paragraph=\"\">Docker Desktop CE for Mac v2.1.0 has default resource restrictions. You can access them under the Docker icon -&gt; Preferences. Then click on the\u00a0<em>Resources<\/em>\u00a0tab. You can use the sliders to adjust the resource constraints.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-58ffb4f elementor-widget elementor-widget-image\" data-id=\"58ffb4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*fNdy8Sx6bSRhyEM5NteTDg.png\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9e44bc3 elementor-widget elementor-widget-text-editor\" data-id=\"9e44bc3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Resource settings on Mac<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ad28c01 elementor-widget elementor-widget-text-editor\" data-id=\"ad28c01\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"47ff\" data-selectable-paragraph=\"\">Alternatively, you can restrict resources from the command line by specifying the\u00a0<code>--memory<\/code>\u00a0flag or\u00a0<code>-m<\/code>\u00a0for short, followed by a number and a unit of measure.<\/p>\n<p id=\"997b\" data-selectable-paragraph=\"\">4m means 4 mebibytes, and is the minimum container memory allocation. A mebibyte (MiB) is slightly more than a megabyte (1 MiB = 1.048576 MB). The docs are currently incorrect, but hopefully the maintainers will have accepted my PR to change it by the time you read this.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-137e464 elementor-widget elementor-widget-text-editor\" data-id=\"137e464\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"c673\" data-selectable-paragraph=\"\">To see what resources your containers are using, enter the command\u00a0<code><a href=\"https:\/\/deploy-preview-9237--docsdocker.netlify.com\/config\/containers\/runmetrics\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">docker stats<\/a><\/code>\u00a0in a new terminal window. You&#8217;ll see running container statistics regularly refreshed.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-4c6cbf4 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4c6cbf4\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2bd8422\" data-id=\"2bd8422\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-689244b elementor-widget elementor-widget-image\" data-id=\"689244b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*y2rxG1CvFG1PsYIfzIHXSQ.png\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-400611a elementor-widget elementor-widget-text-editor\" data-id=\"400611a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Stats<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e3aae0e elementor-widget elementor-widget-text-editor\" data-id=\"e3aae0e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"3967\" data-selectable-paragraph=\"\">Behind the scenes, Docker is using Linux Control Groups (cgroups) to implement resource limits. This technology is battle tested.<\/p>\n<p id=\"154f\" data-selectable-paragraph=\"\">Learn more about resource constraints on Docker\u00a0<a href=\"https:\/\/docs.docker.com\/config\/containers\/resource_constraints\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">here<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a549420 elementor-widget elementor-widget-heading\" data-id=\"a549420\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"122c\" data-selectable-paragraph=\"\">Image safety<\/h1><\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-deeea13 elementor-widget elementor-widget-text-editor\" data-id=\"deeea13\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"cba1\" data-selectable-paragraph=\"\">Grabbing an image from Docker Hub is like inviting someone into your home. You might want to be intentional about it.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-20d03eb elementor-widget elementor-widget-image\" data-id=\"20d03eb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*hYp7NMZkmbL72eur9MBLwA.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-db3fddc elementor-widget elementor-widget-text-editor\" data-id=\"db3fddc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Someone\u2019s home<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-edc36fc elementor-widget elementor-widget-heading\" data-id=\"edc36fc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2 id=\"79bb\" data-selectable-paragraph=\"\">Use trustworthy images<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-11a9e64 elementor-widget elementor-widget-text-editor\" data-id=\"11a9e64\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"e968\" data-selectable-paragraph=\"\">Rule one of image safety is to only use images you trust. How do you know which images are trustworthy?<\/p>\n<p id=\"7ccf\" data-selectable-paragraph=\"\">It\u2019s a good bet that popular official images are relatively safe. Such images include alpine, ubuntu, python, golang, redis, busybox, and node. Each has over\u00a0<a href=\"https:\/\/hub.docker.com\/search?q=&amp;type=image&amp;page=1\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">10M downloads<\/a>\u00a0and lots of eyes on them.<\/p>\n<p id=\"3625\" data-selectable-paragraph=\"\"><a href=\"https:\/\/blog.docker.com\/2019\/02\/docker-security-update-cve-2018-5736-and-container-security-best-practices\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docker explains<\/a>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-945476d elementor-widget elementor-widget-text-editor\" data-id=\"945476d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<blockquote>\n<p id=\"9a1e\" data-selectable-paragraph=\"\">Docker sponsors a dedicated team that is responsible for reviewing and publishing all content in the Official Images. This team works in collaboration with upstream software maintainers, security experts, and the broader Docker community to ensure the security of these images.<\/p>\n<\/blockquote>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-326e59f elementor-widget elementor-widget-heading\" data-id=\"326e59f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2 id=\"7b51\" data-selectable-paragraph=\"\">Reduce your attack surface<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5dff83b elementor-widget elementor-widget-text-editor\" data-id=\"5dff83b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"317f\" data-selectable-paragraph=\"\">Related to using official base images, you can use a minimal base image.<\/p>\n<p id=\"32c3\" data-selectable-paragraph=\"\">With less code inside, there\u2019s a lower chance for security vulnerabilities. A smaller, less complicated base image is more transparent.<\/p>\n<p id=\"7e29\" data-selectable-paragraph=\"\">It\u2019s a lot easier to see what\u2019s going on in an Alpine image than your friend\u2019s image that relies on her friend\u2019s image that relies on another base image. A short thread is easier to untangle.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-27f687b elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"27f687b\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-7f371b5\" data-id=\"7f371b5\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-f39a383 elementor-widget elementor-widget-image\" data-id=\"f39a383\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*ixifAq0FGHI3ZkaTuufFLw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-915cc91 elementor-widget elementor-widget-text-editor\" data-id=\"915cc91\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Tangled<\/span><\/p>\n<p id=\"9965\" data-selectable-paragraph=\"\">Similar, only install packages you actually need. This reduces your attack surface and speeds up your image downloads and image builds.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-991d16d elementor-widget elementor-widget-heading\" data-id=\"991d16d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2 id=\"3207\" data-selectable-paragraph=\"\">Require signed images<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-57613cb elementor-widget elementor-widget-text-editor\" data-id=\"57613cb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"9dd5\" data-selectable-paragraph=\"\">You can ensure that images are signed by using Docker content trust.<\/p>\n<p id=\"f0b7\" data-selectable-paragraph=\"\">Docker content trust prevents users from working with tagged images unless they contain a signature. Trusted sources include Official Docker Images from Docker Hub and signed images from user trusted sources.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96c37d3 elementor-widget elementor-widget-image\" data-id=\"96c37d3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*s3dMsYD9OjSPQMQmw9Ndfw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d7e40e6 elementor-widget elementor-widget-text-editor\" data-id=\"d7e40e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Signed<\/span><\/p>\n<p id=\"db51\" data-selectable-paragraph=\"\">Content trust is disabled by default. To enable it, set the DOCKER_CONTENT_TRUST environment variable to 1. From the command line, run the following:<\/p>\n<p id=\"200a\" data-selectable-paragraph=\"\"><code>export DOCKER_CONTENT_TRUST=1<\/code><\/p>\n<p id=\"0f71\" data-selectable-paragraph=\"\">Now when I try to pull down my own unsigned image from Docker Hub it is blocked.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f24346e elementor-widget elementor-widget-text-editor\" data-id=\"f24346e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<div id=\"5755\" data-selectable-paragraph=\"\"><code>Error: remote trust data does not exist for docker.io\/discdiver\/frames: notary.docker.io <\/code><\/div>\n<div data-selectable-paragraph=\"\"><code>does not have trust data for docker.io\/discdiver\/frames<\/code><\/div>\n<p data-selectable-paragraph=\"\"><\/p>\n<p data-selectable-paragraph=\"\">Content trust is a way to keep the riffraff out. Learn more about content trust\u00a0<a href=\"https:\/\/docs.docker.com\/engine\/security\/trust\/content_trust\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">here<\/a>.<\/p>\n<p id=\"206f\" data-selectable-paragraph=\"\">Docker stores and accesses images by the cryptographic checksum of their contents. This prevents attackers from creating image collisions. That\u2019s a cool built-in safety feature.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-156fb26 elementor-widget elementor-widget-heading\" data-id=\"156fb26\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"2083\" data-selectable-paragraph=\"\">Managing Secrets<\/h1>\n<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3ca2cdb elementor-widget elementor-widget-text-editor\" data-id=\"3ca2cdb\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"b6a6\" data-selectable-paragraph=\"\">Your access is restricted, your images are secure, now it\u2019s time to manage your secrets.\u201d<\/p>\n<p id=\"4435\" data-selectable-paragraph=\"\">Rule 1 of managing sensitive information: do not bake it into your image. It\u2019s not too tricky to find your unencrypted sensitive info in code repositories, logs, and elsewhere.<\/p>\n<p id=\"7ea1\" data-selectable-paragraph=\"\">Rule 2: don\u2019t use environment variables for your sensitive info, either. Anyone who can run\u00a0<code>docker inspect<\/code>\u00a0or\u00a0<code>exec<\/code>\u00a0into the container can find your secret. So can anyone running as root. Hopefully we&#8217;ve configured things so that users won&#8217;t be running as root, but redundancy is part of good security. Often logs will dump the environment variable values, too. You don&#8217;t want your sensitive info spilling out to just anyone.<\/p>\n<p id=\"c96d\" data-selectable-paragraph=\"\">Docker volumes are better. They are the recommended way to access your sensitive info in the Docker docs. You can use a volume as temporary file system held in memory. Volumes remove the\u00a0<code>docker inspect<\/code>\u00a0and the logging risk. However, root users could still see the secret, as could anyone who can\u00a0<code>exec<\/code>\u00a0into the container. Overall, volumes are a pretty good solution.<\/p>\n<p id=\"fe17\" data-selectable-paragraph=\"\">Even better than volumes, use Docker secrets. Secrets are encrypted.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"has_eae_slider elementor-section elementor-top-section elementor-element elementor-element-6ecc4fc elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6ecc4fc\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"has_eae_slider elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-81477ed\" data-id=\"81477ed\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-585d642 elementor-widget elementor-widget-image\" data-id=\"585d642\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*-OAd39UZ-4e7DuGSBNEGpw.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2dea1bf elementor-widget elementor-widget-text-editor\" data-id=\"2dea1bf\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Secrets<\/span><\/p>\n<p id=\"fca8\" data-selectable-paragraph=\"\">Some\u00a0<a href=\"https:\/\/docs.docker.com\/engine\/swarm\/secrets\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docker docs<\/a>\u00a0state that you can use secrets with Docker Swarm only. Nevertheless, you can use secrets in Docker without Swarm.<\/p>\n<p id=\"bdfa\" data-selectable-paragraph=\"\">If you just need the secret in your image, you can use BuildKit. BuildKit is a better backend than the current build tool for building Docker images. It cuts build time significantly and has other nice features, including build-time secrets support.<\/p>\n<p id=\"91be\" data-selectable-paragraph=\"\">BuildKit is relatively new \u2014 Docker Engine 18.09 was the first version shipped with BuildKit support. There are three ways to specify the BuildKit backend so you can use its features now. In the future, it will be the default backend.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-86d70b0 elementor-widget elementor-widget-text-editor\" data-id=\"86d70b0\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ol>\n \t<li id=\"cc73\" data-selectable-paragraph=\"\">Set it as an environment variable with\u00a0<code>export DOCKER_BUILDKIT=1<\/code>.<\/li>\n \t<li id=\"3d5e\" data-selectable-paragraph=\"\">Start your\u00a0<code>build<\/code>\u00a0or\u00a0<code>run<\/code>\u00a0command with\u00a0<code>DOCKER_BUILDKIT=1<\/code>.<\/li>\n \t<li id=\"2c71\" data-selectable-paragraph=\"\">Enable BuildKit by default. Set the configuration in \/<em>etc\/docker\/daemon.json<\/em>\u00a0to\u00a0<em>true<\/em>\u00a0with:\u00a0<code>{ \"features\": { \"buildkit\": true } }<\/code>. Then restart Docker.<\/li>\n \t<li id=\"7c4a\" data-selectable-paragraph=\"\">Then you can use secrets at build time with the\u00a0<code>--secret<\/code>\u00a0flag like this:<\/li>\n<\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-aa8ee6c elementor-widget elementor-widget-text-editor\" data-id=\"aa8ee6c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"2971\" data-selectable-paragraph=\"\"><code>docker build --secret my_key=my_value ,src=path\/to\/my_secret_file .<\/code><\/p>\n<p id=\"ca85\" data-selectable-paragraph=\"\">Where your file specifies your secrets as key-value pair.<\/p>\n<p id=\"fc12\" data-selectable-paragraph=\"\">These secrets are not stored in the final image. They are also excluded from the image build cache. Safety first!<\/p>\n<p id=\"0c96\" data-selectable-paragraph=\"\">If you need your secret in your running container, and not just when building your image, use Docker Compose or Kubernetes.<\/p>\n<p id=\"bb7a\" data-selectable-paragraph=\"\">With Docker Compose, add the secrets key-value pair to a service and specify the secret file. Hat tip to\u00a0<a href=\"https:\/\/serverfault.com\/a\/936262\/535325\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Stack Exchange answer<\/a>\u00a0for the Docker Compose secrets tip that the example below is adapted from.<\/p>\n<p id=\"83af\" data-selectable-paragraph=\"\">Example docker-compose.yml with secrets:<\/p>\n<span style=\"font-family: courier new,courier,monospace;\">version: &#8220;3.7&#8221;<\/span>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-66ea600 elementor-widget elementor-widget-text-editor\" data-id=\"66ea600\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<span style=\"font-family: courier new,courier,monospace;\">services:<\/span>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f823b96 elementor-widget elementor-widget-text-editor\" data-id=\"f823b96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<span style=\"font-family: courier new,courier,monospace;\">\u00a0\u00a0 my_service:\nimage: centos:7\nentrypoint: &#8220;cat \/run\/secrets\/my_secret&#8221;\nsecrets:\n&#8211; my_secret<\/span>\n\n<span style=\"font-family: courier new,courier,monospace;\">secrets:\nmy_secret:\nfile: .\/my_secret_file.txt<\/span>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-867fe03 elementor-widget elementor-widget-text-editor\" data-id=\"867fe03\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"f758\" data-selectable-paragraph=\"\">Then start Compose as usual with\u00a0<code>docker-compose up --build my_service<\/code>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3fb7068 elementor-widget elementor-widget-text-editor\" data-id=\"3fb7068\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"f758\" data-selectable-paragraph=\"\">Then start Compose as usual with\u00a0<code>docker-compose up --build my_service<\/code>.<\/p>\n<p id=\"9b08\" data-selectable-paragraph=\"\">If you\u2019re using\u00a0<a href=\"https:\/\/kubernetes.io\/docs\/concepts\/configuration\/secret\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Kubernetes<\/a>, it has support for secrets.\u00a0<a href=\"https:\/\/github.com\/futuresimple\/helm-secrets\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Helm-Secrets<\/a>\u00a0can help make secrets management in K8s easier. Additionally, K8s has Role Based Access Controls (RBAC) \u2014 as does Docker Enterprise. RBAC makes access Secrets management more manageable and more secure for teams.<\/p>\n<p id=\"b895\" data-selectable-paragraph=\"\">A best practice with secrets is to use a secrets management service such as Vault.\u00a0<a href=\"https:\/\/www.vaultproject.io\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Vault<\/a>\u00a0is a service by HashiCorp for managing access to secrets. It also time-limits secrets. More info on Vault\u2019s Docker image can be found\u00a0<a href=\"https:\/\/hub.docker.com\/\/vault\" target=\"_blank\" rel=\"noopener nofollow noreferrer\" class=\"broken_link\">here<\/a>.<\/p>\n<p id=\"a068\" data-selectable-paragraph=\"\"><a href=\"https:\/\/aws.amazon.com\/secrets-manager\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">AWS Secrets Manager<\/a>\u00a0and similar products from other cloud providers can also help you manage your secrets on the cloud.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b2e91a1 elementor-widget elementor-widget-image\" data-id=\"b2e91a1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*-L9oPjWgRBGBBoBJsvZQtA.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ff7f7cc elementor-widget elementor-widget-text-editor\" data-id=\"ff7f7cc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Keys<\/span><\/p>\n<p id=\"1d90\" data-selectable-paragraph=\"\">Just remember, the key to managing your secrets is to keep them secret. Definitely don\u2019t bake them into your image or turn them into environment variables.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-439ca18 elementor-widget elementor-widget-heading\" data-id=\"439ca18\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"0fb4\" data-selectable-paragraph=\"\">Update Things<\/h1>\n<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4cde95e elementor-widget elementor-widget-text-editor\" data-id=\"4cde95e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"1c55\" data-selectable-paragraph=\"\">As with any code, keep your the languages and libraries in your images up to date to benefit from the latest security fixes.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b6cf713 elementor-widget elementor-widget-image\" data-id=\"b6cf713\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*SvzouB47pMF_0Hu6u0IO9A.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bd72431 elementor-widget elementor-widget-text-editor\" data-id=\"bd72431\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Hopefully your security is more up to date than this lock<\/span><\/p>\n<p id=\"e5e5\" data-selectable-paragraph=\"\">If you refer to a specific version of a base image in your image, make sure you keep it up to date, too.<\/p>\n<p id=\"dbbe\" data-selectable-paragraph=\"\">Relatedly, you should keep your version of Docker up to date for bug fixes and enhancements that will allow you to implement new security features.<\/p>\n<p id=\"d72c\" data-selectable-paragraph=\"\">Finally, keep your host server software up to date. If you\u2019re running on a managed service, this should be done for you.<\/p>\n<p id=\"64de\" data-selectable-paragraph=\"\">Better security means keeping things updated.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-eb0d5dc elementor-widget elementor-widget-heading\" data-id=\"eb0d5dc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"2115\" data-selectable-paragraph=\"\">Consider Docker Enterprise<\/h1>\n<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4095d94 elementor-widget elementor-widget-text-editor\" data-id=\"4095d94\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"84eb\" data-selectable-paragraph=\"\">If you have an organization with a bunch of people and a bunch of Docker containers, it\u2019s a good bet you\u2019d benefit from Docker Enterprise. Administrators can set policy restrictions for all users. The provided RBAC, monitoring, and logging capabilities are likely to make security management easier for your team.<\/p>\n<p id=\"709b\" data-selectable-paragraph=\"\">With Enterprise you can also host your own images privately in a\u00a0<a href=\"https:\/\/docs.docker.com\/ee\/dtr\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docker Trusted Registry<\/a>. Docker provides built-in security scanning to make sure you don\u2019t have known vulnerabilities in your images.<\/p>\n<p id=\"08f4\" data-selectable-paragraph=\"\">Kubernetes provides some of this functionality for free, but Docker Enterprise has additional security capabilities for containers and images. Best of all,\u00a0<a href=\"https:\/\/blog.docker.com\/2019\/07\/announcing-docker-enterprise-3-0-ga\/\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docker Enterprise 3.0<\/a>\u00a0was released in July 2019. It includes Docker Kubernetes Service with \u201csensible security defaults\u201d.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-bce144a elementor-widget elementor-widget-heading\" data-id=\"bce144a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"6808\" data-selectable-paragraph=\"\">Additional Tips<\/h1>\n<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e9c25af elementor-widget elementor-widget-text-editor\" data-id=\"e9c25af\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<ul>\n \t<li id=\"721a\" data-selectable-paragraph=\"\">Don\u2019t ever run a container as\u00a0<code>-- privileged<\/code>\u00a0unless you need to for a special circumstance like needing to run Docker inside a Docker container \u2014 and you know what you&#8217;re doing.<\/li>\n \t<li id=\"8e51\" data-selectable-paragraph=\"\">In your Dockerfile, favor COPY instead of ADD. ADD automatically extracts zipped files and can copy files from URLs. COPY doesn\u2019t have these capabilities. Whenever possible, avoid using ADD so you aren\u2019t susceptible to attacks through remote URLs and Zip files.<\/li>\n \t<li id=\"156b\" data-selectable-paragraph=\"\">If you run any other processes on the same server, run them in Docker containers.<\/li>\n \t<li id=\"5d07\" data-selectable-paragraph=\"\">If you use a web server and API to create containers, check parameters carefully so new containers you don\u2019t want can\u2019t be created.<\/li>\n \t<li id=\"7d7a\" data-selectable-paragraph=\"\">If you expose a REST API, secure API endpoints with HTTPS or SSH.<\/li>\n \t<li id=\"026f\" data-selectable-paragraph=\"\">Consider a checkup with\u00a0<a href=\"https:\/\/github.com\/docker\/docker-bench-security\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">Docker Bench for Security<\/a>\u00a0to see how well your containers follow their security guidelines.<\/li>\n \t<li id=\"6e6c\" data-selectable-paragraph=\"\">Store sensitive data only in volumes, never in a container.<\/li>\n \t<li id=\"6202\" data-selectable-paragraph=\"\">If using a single-host app with networking, don\u2019t use the default bridge network. It has technical shortcomings and is not recommended for production use. If you publish a port, all containers on the bridge network become accessible.<\/li>\n \t<li id=\"280d\" data-selectable-paragraph=\"\">Use Lets Encrypt for HTTPS certificates for serving. See an example with NGINX\u00a0<a href=\"https:\/\/medium.com\/@pentacent\/nginx-and-lets-encrypt-with-docker-in-less-than-5-minutes-b4b8a60d3a71\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"broken_link\">here<\/a>.<\/li>\n \t<li id=\"6a68\" data-selectable-paragraph=\"\">Mount volumes as read-only when you only need to read from them. See several ways to do this\u00a0<a href=\"https:\/\/github.com\/OWASP\/CheatSheetSeries\/blob\/master\/cheatsheets\/Docker_Security_Cheat_Sheet.md\" target=\"_blank\" rel=\"noopener nofollow noreferrer\">here<\/a>.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3b226e5 elementor-widget elementor-widget-heading\" data-id=\"3b226e5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\"><h1 id=\"1ac1\" data-selectable-paragraph=\"\">Summary<\/h1><\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c75059e elementor-widget elementor-widget-text-editor\" data-id=\"c75059e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"0c30\" data-selectable-paragraph=\"\">You\u2019ve seen many of ways to make your Docker containers safer. Security is not set-it and forget it. It requires vigilance to keep your images and containers secure.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d48991c elementor-widget elementor-widget-image\" data-id=\"d48991c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/proxy\/1*AGYrfC2NpGXLYe6xtiiLng.png\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b02b257 elementor-widget elementor-widget-text-editor\" data-id=\"b02b257\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Keys<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-66d968f elementor-widget elementor-widget-heading\" data-id=\"66d968f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\"><h2 id=\"233a\" data-selectable-paragraph=\"\">When thinking about security, remember AIM<\/h2><\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-82423e6 elementor-widget elementor-widget-text-editor\" data-id=\"82423e6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>&lt;ol&gt;<\/p><ul><li id=\"143e\" data-selectable-paragraph=\"\"><strong>A<\/strong>ccess management<\/li><li id=\"f60d\" data-selectable-paragraph=\"\">Avoid running as root. Remap if must use root.<\/li><li id=\"4858\" data-selectable-paragraph=\"\">Drop all capabilities and add back those that are needed.<\/li><li id=\"f495\" data-selectable-paragraph=\"\">Dig into AppArmor if you need fine-grained privilege tuning.<\/li><li id=\"7287\" data-selectable-paragraph=\"\">Restrict resources.<\/li><\/ul><p id=\"d031\" data-selectable-paragraph=\"\">2.\u00a0<strong>I<\/strong>mage safety<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f223a82 elementor-widget elementor-widget-text-editor\" data-id=\"f223a82\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\n<ul>\n \t<li id=\"8781\" data-selectable-paragraph=\"\">Use official, popular, minimal base images.<\/li>\n \t<li id=\"fbb1\" data-selectable-paragraph=\"\">Don\u2019t install things you don\u2019t need.<\/li>\n \t<li id=\"fa36\" data-selectable-paragraph=\"\">Require images to be signed.<\/li>\n \t<li id=\"5e08\" data-selectable-paragraph=\"\">Keep Docker, Docker images, and other software that touches Docker updated.<\/li>\n<\/ul>\n<p id=\"8e58\" data-selectable-paragraph=\"\">3.\u00a0<strong>M<\/strong>anagement of secrets<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6ca7f43 elementor-widget elementor-widget-text-editor\" data-id=\"6ca7f43\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\n<ul>\n \t<li id=\"1996\" data-selectable-paragraph=\"\">Use secrets or volumes.<\/li>\n \t<li id=\"165f\" data-selectable-paragraph=\"\">Consider a secrets manager such as Vault.<\/li>\n<\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-97b2281 elementor-widget elementor-widget-image\" data-id=\"97b2281\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/miro.medium.com\/max\/640\/1*HoEJRUtVcjExCCS7WDBSRA.jpeg\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f9cdd1 elementor-widget elementor-widget-text-editor\" data-id=\"7f9cdd1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p style=\"text-align: center;\" data-selectable-paragraph=\"\"><span style=\"font-size: 11px;\">Bullseye!<\/span><\/p>\n<p id=\"9f05\" data-selectable-paragraph=\"\">Keeping Docker containers secure means AIMing for safety.<\/p>\n<p id=\"2d25\" data-selectable-paragraph=\"\">Don\u2019t forget to keep Docker, your languages and libraries, your images, and your host software updated. Finally, consider using Docker Enterprise if you\u2019re running Docker as part of a team.<\/p>\n<p id=\"d1ce\" data-selectable-paragraph=\"\">I hope you found this Docker security article helpful.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>There are many of ways to make your Docker containers safer. Securities is not set-it and forget it. It requires vigilance to keep your images and containers secure. Keeping Docker containers secure means AIMing for safety. Don&rsquo;t forget to keep Docker, your languages and libraries, your images, and your host software updated. Finally, consider using Docker Enterprise if you&rsquo;re running Docker as part of a team. If you&rsquo;re serving files, or running apps in production, you need to be considerably more knowledgeable about Docker security.<\/p>\n","protected":false},"author":369,"featured_media":2662,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[94],"ppma_author":[2134],"class_list":["post-2054","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-data-science"],"authors":[{"term_id":2134,"user_id":369,"is_guest":0,"slug":"jeff-hale","display_name":"Jeff Hale","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&r=g","user_url":"","last_name":"Hale","first_name":"Jeff","job_title":"","description":"Jeff Hale is a co-founder of Rebel Desk, where he oversees technology, finance, and operations for this company. He&nbsp;is an experienced entrepreneur who has managed technology, operations, and finances for several companies.&nbsp;"}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2054","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/369"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=2054"}],"version-history":[{"count":4,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2054\/revisions"}],"predecessor-version":[{"id":36212,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/2054\/revisions\/36212"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/2662"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=2054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=2054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=2054"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=2054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}