Personal Home/
Security Tips for Docker
Security Tips for Docker

Security Tips for Docker

Tags
docker
Published
January 31, 2025
Author

1. Use a Non-Root User

One of the most important Docker security tips is to avoid running processes as the root user within your containers. Running as root can be dangerous because if an attacker compromises the container, they gain root access inside it.
How to set a non-root user (example: node):
dockerfile
CopyEdit
# Use an official Node.js runtime as the parent image
FROM node:18

# Create and switch to a non-root user
RUN useradd --create-home --shell /bin/bash node
USER node

# Continue with other instructions…
WORKDIR /home/node/app
COPY package*.json ./
RUN npm install
COPY . .
CMD ["node", "index.js"]
Key takeaways:
  • The USER node instruction ensures the application processes run with non-root privileges.
  • Always verify that any installed software and dependencies can run under a non-root user.

2. Exposing and Publishing Ports Securely

When you need to expose a port, you typically do so with the EXPOSE directive in your Dockerfile and the -p or --publish flag at runtime.
Example Dockerfile:
dockerfile
CopyEdit
FROM node:18

# Expose port 3000
EXPOSE 3000

# Other instructions...
Running the container:
bash
CopyEdit
docker run --init --publish 3000:3000 --rm my-app
Why these flags?
  • -init: Runs an init process (PID 1) inside the container that helps manage zombie processes. This can improve security and stability.
  • -publish 3000:3000: Maps the container's exposed port to the host system, allowing external access. Use firewalls or Docker network features to restrict unwanted connections.
  • -rm: Automatically removes the container file system once the container exits, reducing clutter and potential attack surfaces on your host system.

3. Split COPY Instructions to Speed Up Builds

Efficient layering in Docker helps keep image sizes small and accelerates rebuilds. You can split the copying of your dependencies and source code so that Docker can cache these layers effectively.
For example:
dockerfile
CopyEdit
FROM node:18

# Set the working directory
WORKDIR /app

# Copy only package files first
COPY package.json package-lock.json ./

# Install dependencies
RUN npm install

# Then copy the rest of your source code
COPY . .

CMD ["npm", "start"]
Benefits:
  • If you modify only your application code (not your dependencies), Docker will reuse the layer with the installed dependencies. This can significantly reduce build time.
  • Smaller and more efficient layers also improve security because you can more easily track what is being introduced into each layer.

4. Using Nginx within Docker

For serving static files or acting as a reverse proxy, you might use an official nginx image. Consider these tips for a secure nginx setup:
  • Use Official Images: Start with the official nginx image for guaranteed updates and security patches.
  • Configuration Files: Keep an eye on your nginx.conf or any additional config files. Restrict access to management endpoints and enable HTTPS where possible.
  • Small Base Images: If feasible, use nginx:alpine to reduce the image footprint and minimize the attack surface.
Example:
dockerfile
CopyEdit
FROM nginx:alpine
COPY ./my-nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

5. Check Your Containers for Vulnerabilities with Docker Scout

Regularly scanning your images for vulnerabilities is critical. Docker offers Docker Scout, which provides vulnerability scanning features to help ensure that your container images (including their base layers and libraries) are free of known CVEs.
Scanning your images:
bash
CopyEdit
docker scout cves my-app
Benefits:
  • Quickly identifies security vulnerabilities in your base image or libraries.
  • Offers guidance on recommended updates or alternative images with fewer CVEs.
  • Integrates into your CI/CD pipeline, preventing vulnerable images from being deployed.

Additional Best Practices

  1. Keep Images Updated: Continuously track upstream images (like node, nginx, etc.) for newer versions with security patches.
  1. Use Multi-Stage Builds: Reduce your final image size (and attack surface) by separating build and runtime stages.
  1. Don’t Store Secrets in Dockerfiles: Use Docker secrets or environment variables managed by orchestration tools (like Docker Swarm or Kubernetes) instead of hardcoding credentials.
  1. Enable Resource Limits: Use -memory, -cpus, or Docker Compose resources limits to prevent container resource exhaustion.
  1. Restrict Capabilities: Consider dropping unnecessary Linux capabilities with -cap-drop to limit the container’s privileges on the host.