Security while using Docker-CE on Ubuntu

I need help on verification.

For a proof of concept, I have successfully installed Docker-CE on an Ubuntu VM, and I am using it along with nginx.

Can one if you, please confirm to me on my open questions and observations

Point 1: Docker-CE (community edition) is installed in the Ubuntu VM.

Followed the documentation https://docs.docker.com/install/linux/docker-ce/ubuntu/ and installed using ‘the repository’.

Can I confirm that,

    • Stable repository is a good starting point.
    • Docker image will not have any vulnerabilities.
    • Install parameters are configurable
    • Desired version of Docker can be installed

Point 2: Proxy settings
I have updated the following files

  1. /etc/systemd/system/docker.service.d/http-proxy.conf
  2. /etc/apt/apt.conf.d/proxy
  3. /etc/environment

Any other files that I should be considering?

Point 3: Please note that the Docker is running on a secured hardened host. The Ubuntu VM I have used is hardened as per my company’s compliance rules.

  1. Is Docker-CE image hardened?

  2. Since I have installed Docker on a hardened Ubuntu VM, do I need to further harden the Docker image?

  3. Even if Docker-CE image is not hardened, can you provide few points to clarify that it is secure and containers are secure.

Point 4: Privilege mode

  1. I have confirmed that none of the docker containers are running in ‘privileged’ mode.

    The following command “docker inspect --format=’{{.HostConfig.Privileged}}’ ” returns false.

  2. Running Docker Commands

    Every docker command I run is using ‘Sudo’. Sudo command allows my default user to run programs with security privileges of that of root user.

    I can create non-privileged users, add them to the ‘docker’ group [https://docs.docker.com/install/linux/linux-postinstall/]

    Does this mean, the ‘non-privileged’ users now have root access only for docker?

Point 5: Upgrading Docker

How frequently should we upgrade?
Who should upgrade?

Point 6: Memory usage and CPU usage

To ensure there is no memory leakage, I will be looking at using documentation on resource_constraints maintained by Docker. Is this fine?

Hi

I normally also use userns

Thanks Martin for the response. I shall look at it.

Hi @maneeshmenon,

Belated response:

Does this mean, the ‘non-privileged’ users now have root access only for docker?

Yes, but this is the equivalent of giving the unprivileged users root access on the host. Why? Because the unprivileged user can trivially create a Docker privileged container, mount key host directories, and gain full control of the machine. Check this web post for details.

FYI, I recently founded a company called Nestybox that enables running Docker-in-Docker, but without using privileged containers. One of the security benefits is that you can now assign unprivileged users a dedicated Docker without giving them any privileges on the host.

See this blog article I wrote for more info on this.

Hope this helps!