Friday, 14 November 2025

Docker - Security

 

🔒 Docker Runtime Security: Key Practices

Docker Runtime Security refers to the measures and configurations put in place to protect the containers, the Docker host, and the data while the containers are actively running. It focuses on limiting the damage an attacker can do if they successfully compromise a container.

Here is a breakdown of the key practices:

1. Least Privilege Principle

  • What it is: This is a fundamental security concept that states every user, process, or program should have only the minimum necessary permissions to perform its job, and no more.

  • In Docker: This means running the container application as a non-root user whenever possible. If the application doesn't need root permissions, running it as root unnecessarily increases the attack surface, as a breach could give the attacker full control over the container and potentially the host system.

2. Seccomp and AppArmor

  • What they are: These are host-level security mechanisms (part of the Linux kernel) that restrict what a running process (like your container) can do.

  • Seccomp (Secure Computing Mode): Allows you to filter which Linux system calls (syscalls) a container can use. Docker applies a default Seccomp profile that blocks over 40 dangerous syscalls.

  • AppArmor (Application Armor): Restricts a program's capabilities, such as which file paths it can write to, which network interfaces it can access, and which permissions it can use.

3. Docker Content Trust (DCT)

  • What it is: A system used to cryptographically sign and verify the integrity and publisher of images.

  • In Docker: When DCT is enabled, Docker clients only allow you to pull images that have been signed by a trusted key. This prevents users from accidentally pulling or running malicious or tampered images.

4. Runtime Scanning

  • What it is: The practice of scanning running containers for vulnerabilities, misconfigurations, or unexpected process behavior.

  • In Docker: This involves using third-party tools (like Trivy, Clair, or commercial scanners) to monitor the containers in real-time, looking for known vulnerabilities in installed packages or detecting unauthorized file changes.

5. Isolate with Namespaces

  • What it is: Linux Namespaces are the core technology that makes containers possible. They provide resource isolation by partitioning the kernel's resources.

  • In Docker: Each container gets its own isolated view of the system, including:

    • PID Namespace: Its own set of processes (PID 1 is the main app).

    • Network Namespace: Its own network interfaces and IP addresses.

    • Mount Namespace: Its own view of the filesystem (what's mounted at /).

  • Goal: If a container is compromised, the attacker is trapped within that isolated namespace.

6. Drop Capabilities

  • What it is: Linux Capabilities break down the power of the root user into smaller, distinct units.

  • In Docker: Containers often run with a limited set of default capabilities (e.g., CAP_NET_BIND_SERVICE). The practice of "dropping capabilities" means explicitly removing any capabilities a container doesn't strictly need (e.g., removing CAP_SYS_ADMIN), further hardening the container by limiting the kernel operations it can perform.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Building a Safer PostgreSQL CI/CD Pipeline with GitHub Actions: Dev → PR Review → Test Promotion

In my previous post, we explored a simple push-to-main deployment strategy . While functional, that model is not considered an industry best...