I have read a lot about how to secure docker. But I still have som general questions I need to understand before I begin the process.
My setup: I have a working Traefik (v2.8) reverse proxy with TLS enabled. I need Portainer, Homeassistant and NextCloud exposed to the web and Mosquitto and Zigbee2Mqtt only exposed to my server. I also have installed UFW as my firewall but it is not enabled yet.
I have thought about doing the following to secure my server…
Segregate my docker network in internal and external.
Remove the exposed ports and let Traefik handle the connection.
I am already running docker as a normal user but not my apps.
Secure the docker.socket with ssh.
My questions are…
Will this be enough or do I still need to make speciel rules to iptables/ufw?
Can I change the user running inside docker without problems?
Can Traefik route between networks or do I need to add Traefik to both the internat and external network?
Please clearify: did you just add your user to the docker group, or did you specifcly setup rootless docker. Adding an unprivliged user to the docker group grants access to the docker.sock. It does not make the docker engine run as unprivlieged user… only rootless docker does.
Please clearify what this is suppsoed to mean. The docker.sock has no authentification or authorization build in. The only security you have is unix file permission on the docker.sock itself.
Just so that you are not surprised later: Docker will punch holes for published ports in the firewall.
Please clearify: what do you mean by inside docker? If you mean inside containers, then it depends on the image. Some images run as root, some images run with a restricted user, some start as root - but start the main process as unprivliged users. When I write “some images run”, of course I mean the container created based on those images.
Traefik is not a router. It’s a reverse proxy, as such it needs to have access to all the networks where it should forard traffic to. Note: even a router would need to have an interface in each subnet it should route to…
While at it: you might want to research about user namespace remapping, enabling tls and certificate authentification for the docker engine and check open policy agent.
Since most of the stuff is already addressed in my first post, I am going to address just some of the details from your response.
You might want to check user namespace remapping before you try rootless docker, as it is a whole different beast.
If the image is not prepared to start the main process as unpriviliged user, it can have sideffect if you just override the --user argumetn. Typically; at least you find a RUN instruction with the adduser command - some images start as root, but execute the main process with the created restricted user. Others directly use the USER instruction and start the image as unprivliged user.
I would highly suggest to inspect the Dockerfile of the images you are used to on Github (in case the repo is linked in the Dockerhub description) to check how they imaplement things.