A large part of the document boils down to 'run with defaults', 'setup auditing', and 'check file permissions', 'drop unneeded capabilities', 'define sane limits', 'centralize and rotate logs', and 'make backups'. These are all really great baseline steps. There were also I think a few Docker-specific points worth highlighting;
- Run with -icc=false. This should have been the default but isn't for legacy reasons I think. By default there is no firewall between containers. icc=false turns the inter-container firewall on. This is a pretty basic one, but easy for new docker users to miss.
- Host port mapping (e.g. -p 80) by default binds to 0.0.0.0:80 on the host container. This could inadvertently expose your internal services to unexpected interfaces. Specify the host IP you want to bind to explicitly (e.g. -p 127.0.0.1:49123:8080)
- Run inside containers as non-root. Most Dockerfiles you come across will run as root inside the container. In your base image, 'RUN useradd' and in your Dockerfiles add a 'USER' directive, and start the container with -u <user>.
- Set root file system as read-only inside the container. It enforces the best practice that the container should be immutable anyway.
- Instead of --restart:always, try --restart=on-failure:5 to avoid a possible DoS or excessive flapping. Not sure if I 100% agree with this, but it's an interesting suggestion.
Regarding the -icc=false option, if you want to do it by default to all containers, just modify the docker daemon's options adding --iptables=false [0] and restart the daemon.
This document says essentially nothing of significance--it is a marketing piece. There are no details of exactly how resilient a containerized process is to attack, how to prevent "escaping", etc. The general consensus (if I'm not mistaken) is that containers are for deployment/operational convenience and should not be relied upon for security, but you would have no idea if you only read this so-called whitepaper.
I would normally not comment to say "seriously, :/", but this time I feel it is warranted so that people can see how much of an inconvenience this is. As a security sensitive person, I don't much feel like putting a load of information into a form and agree to some random terms I'm not going to read. Yuck.
Why do I need to take any action to securely deply Docker containers? Why aren't they secure by default. What I should need to study is how to run them insecurely, should I have that need. Secure should be the default mode.
Docker aims to run arbitrary off-the-shelf Linux apps (and even entire distros) with no modification. Such apps are largely authored to work in traditional environments where security is fairly ad hoc and requires fiddly user configuration. Although in many cases it would not be hard to adapt them to a uniform security model, any such requirement would mean that Docker would only support apps that have been "ported" to that model, which would make it a very different kind of platform not suited for the same use cases.
For an example of the opposite approach, look at Sandstorm.io. It forces apps to conform to a strict platform-defined security model where things are isolated "by default" and from there the user can use friendly UI to grant permissions as necessary. This means that currently there are only some 30 apps available on Sandstorm but they are (or will be, when Sandstorm reaches 1.0) "secure by default", or at least much more so than other platforms could claim.
(Disclosure: I'm the lead developer of Sandstorm.)
This would be really great if security was a binary switch, but it's not. The most secure way for them to write Docker would be if, when started, it ran `shutdown -h now`. In the real world, designers of systems and software are required to make security decisions and determine the best course for providing security and usability.
I don't agree with several decisions that the Docker team has made, but to so grossly oversimplify the matter at hand is unhelpful.
- Run with -icc=false. This should have been the default but isn't for legacy reasons I think. By default there is no firewall between containers. icc=false turns the inter-container firewall on. This is a pretty basic one, but easy for new docker users to miss.
- Host port mapping (e.g. -p 80) by default binds to 0.0.0.0:80 on the host container. This could inadvertently expose your internal services to unexpected interfaces. Specify the host IP you want to bind to explicitly (e.g. -p 127.0.0.1:49123:8080)
- Run inside containers as non-root. Most Dockerfiles you come across will run as root inside the container. In your base image, 'RUN useradd' and in your Dockerfiles add a 'USER' directive, and start the container with -u <user>.
- Set root file system as read-only inside the container. It enforces the best practice that the container should be immutable anyway.
- Instead of --restart:always, try --restart=on-failure:5 to avoid a possible DoS or excessive flapping. Not sure if I 100% agree with this, but it's an interesting suggestion.