Container security

Hi,

I am very new to docker. In a VM the very first thing one learns to do is to harden it’s security by using failtoban and making a non-root user and removing the root user altogether.

Is all of this not required to be done in a container ?

Another thing is that a webserver is never run as a root. In fact since the server is run as “apache” or “www-data” user, the non root user is assigned to this group for sorting read write permissions. It is considered bad practice to run a webserver as root.

So how are these things sorted in docker? I read that assigning a non-root user to docker conflicts with volume writes. hoping for someone to give a comprehensive reply to these.

Thanks !

Hi @apseh278,

Your question (or questions?) has some weight to it, and can be a bit too lengthy to answer. I have actually been thinking about writing an article about it, if you’d like to discuss further, I’d be happy to.

FYI: I’m from Linux Handbook (https://linuxhandbook.com) (I hope you don’t take it as an advertisement, as it’s not meant to be such).

Hi Debdut, Thanks for the response. I would be happy to discuss and hope some light shines through for me as I consider myself a novice here. Thanks. Let me know how we can discuss this here on this forum or elsewhere.

Thank you.

I would’ve preferred this forum here, but since for some reason docker is not going to focus on this place, I’m inclined to continue the conversation at someplace else. Preferably our telegram group (https://t.me/linuxhandbook_official). This way others will be able to weigh in as well :slight_smile:

Some things come into my mind:

  • harden the hosts
  • start running dockercontainer with “–user”, --cap-drop list, --network,–read-only, --memory, --cpus so a break out is not easy and stability for your hostsystem is guaranteed
  • inside docker or in Dockerfile use: "USER ", “WORKDIR”, if possible, just one binary, other minium os-image, for example “alpine-linux”, never use ports <10124

fail2ban and things like means complexity. U want to avoid complexity in docker-containers.
Maybe u can use a loadbalancer or something like that.

Hi Peddyspg,

Thanks you so much for the response.

Being a sheer novice, May I also request you to enlist the steps needed to complete the above mentioned points. For eg. how to harden the hosts ? And so for the rest. maybe you can point me to a blog or a video or a tutorial for these. Would be truly a great help.

Thanks loads again !

Sorry, this is a wide field and u have to find your own path.
Detailinformation or hints are depending on your own needs.
Google is your friend.

For me, it was very helpfull to change my thinking.
Dockercontainers are not VMs.
Orchestrating of containers is a big and helpfull thing.
Maybe u jump directly to kubernetes.

First a lot to learn, but it was fun.

Right Peddyspg !
Thanks loads !