Docker Community Forums

Share and learn in the Docker community.

Hardening Docker Networking?

Inspired by the common Meow db exploits, I wanted to ask about how to further harden dockerized databases:

– db is not exposed
– only other dockerized nodejs services can talk to the db
– several of those dockerized nodejs services are exposed

Are there ways attackers can exploit Docker quirks or networking to gain access to un-exposed dbs (in this case mongodb container I run based on the official mongodb image)?

I’ve done some searching, but I’d like to see more experience & suggests concentrated & discussed in one place.

Thanks!

Run Docker with a Non-Root Internal User.
Limit Container Resources.
Limit Available Memory.
Swap Limit Support. : Not all Linux distributions have the swap limit support enabled by default.
Limit Available CPU.
Limit PIDs.
Limit Open File Descriptors.
Check Docker Hardening Configuration.