Docker Community Forums

Share and learn in the Docker community.

Secure a multi-apps docker server

Hi there !

I’m quite new to the Docker World. I read a lot of articles and documentations, but the more I read the more I get lost.

I think my use case is quite simple though.

I want to host several Docker apps on my server. Let’s say Gitea and Owncloud.

Due to their complexity, we never now what kind of new leak we can find in those applications.

So I want to be absolutly sure that, if there is a leak :

  • the attacker will not be able to get out of the container (I host other sensitive stuff on my server) to read secrets or mess with stuff.
  • the attacker will not be able to mess with the other containers

Okay, so here is what I’ve done so far:

  • I created a user “gitea” and added it to the group “docker”
  • I created a “data” repository owned by the user “gitea” and strict permissions on it (700)
  • I created a .env file with even stricter permissions (400, owned by gitea) and the following content:
    USER_UID=[UID of the user “gitea” on host]
    USER_GID=[GID of the user “gitea” on host]

Now I read that it is good practice to disable “SETGID” and “SETUID” for the container.
But it seems that my Gitea container uses those capabilities to run as non-root and be able to access the “data” directory.
You will probably tell me that, if they do this, I don’t have to worry about user escalation, but what if they mess things up on a future release for instance ? Or if there is a breach in their design ?

I also read that I could use namespaces to do that. That’s closer to what I want : If I understand well, using a namespace, I am absolutely sure that user escalation can have absolutly no effect as UID 0 in the container will map to a non-existing user on the host. But this brings two more problems to me :

  • How can I be sure that It won’t be possible for an attacker to mess with another container (as they are both in the same namespace) ?
  • How do I handle the “data” directory ? Should I chown it to [starting subuid range for dockremap]+[UID of the user “gitea” on host] ?

Thanks for your help !

With the latest release of Docker Enterprise Edition (EE), enterprise organizations are able to extend the benefits of containers across their entire application portfolio. Docker EE enables rapid modernization of traditional Windows and Linux applications as well as Linux applications running on IBM Z mainframes. By addressing all of these applications, Docker EE provides the opportunity to standardize around a common packaging format for greater portability, agility, and with an additional layer of security, resulting in more teams bringing their workloads into Docker EE.

The key to operating this diverse environment is to have a way to secure and isolate the applications and the multiple teams who build, ship, and deploy them. This release of Docker Enterprise Edition makes it possible for organizations to modernize traditional applications of every variety and to do so in a secure manner that aligns to complex organizational needs.