Docker Community Forums

Share and learn in the Docker community.

Security while using Docker-CE on Ubuntu

(Maneeshmenon) #1

I need help on verification.

For a proof of concept, I have successfully installed Docker-CE on an Ubuntu VM, and I am using it along with nginx.

Can one if you, please confirm to me on my open questions and observations

Point 1: Docker-CE (community edition) is installed in the Ubuntu VM.

Followed the documentation and installed using ‘the repository’.

Can I confirm that,

    • Stable repository is a good starting point.
    • Docker image will not have any vulnerabilities.
    • Install parameters are configurable
    • Desired version of Docker can be installed

Point 2: Proxy settings
I have updated the following files

  1. /etc/systemd/system/docker.service.d/http-proxy.conf
  2. /etc/apt/apt.conf.d/proxy
  3. /etc/environment

Any other files that I should be considering?

Point 3: Please note that the Docker is running on a secured hardened host. The Ubuntu VM I have used is hardened as per my company’s compliance rules.

  1. Is Docker-CE image hardened?

  2. Since I have installed Docker on a hardened Ubuntu VM, do I need to further harden the Docker image?

  3. Even if Docker-CE image is not hardened, can you provide few points to clarify that it is secure and containers are secure.

Point 4: Privilege mode

  1. I have confirmed that none of the docker containers are running in ‘privileged’ mode.

    The following command “docker inspect --format=’{{.HostConfig.Privileged}}’ ” returns false.

  2. Running Docker Commands

    Every docker command I run is using ‘Sudo’. Sudo command allows my default user to run programs with security privileges of that of root user.

    I can create non-privileged users, add them to the ‘docker’ group []

    Does this mean, the ‘non-privileged’ users now have root access only for docker?

Point 5: Upgrading Docker

How frequently should we upgrade?
Who should upgrade?

Point 6: Memory usage and CPU usage

To ensure there is no memory leakage, I will be looking at using documentation on resource_constraints maintained by Docker. Is this fine?

(Martin Terp) #2


I normally also use userns

(Maneeshmenon) #3

Thanks Martin for the response. I shall look at it.