|
|
|
|
|
|
by zaroth
4066 days ago
|
|
|
A large part of the document boils down to 'run with defaults', 'setup auditing', and 'check file permissions', 'drop unneeded capabilities', 'define sane limits', 'centralize and rotate logs', and 'make backups'. These are all really great baseline steps. There were also I think a few Docker-specific points worth highlighting; - Run with -icc=false. This should have been the default but isn't for legacy reasons I think. By default there is no firewall between containers. icc=false turns the inter-container firewall on. This is a pretty basic one, but easy for new docker users to miss. - Host port mapping (e.g. -p 80) by default binds to 0.0.0.0:80 on the host container. This could inadvertently expose your internal services to unexpected interfaces. Specify the host IP you want to bind to explicitly (e.g. -p 127.0.0.1:49123:8080) - Run inside containers as non-root. Most Dockerfiles you come across will run as root inside the container. In your base image, 'RUN useradd' and in your Dockerfiles add a 'USER' directive, and start the container with -u <user>. - Set root file system as read-only inside the container. It enforces the best practice that the container should be immutable anyway. - Instead of --restart:always, try --restart=on-failure:5 to avoid a possible DoS or excessive flapping. Not sure if I 100% agree with this, but it's an interesting suggestion. |
|
|
/var/run needs to be writable. /tmp needs to be writable and so on. I gave it a shot again today:
$ docker run --read-only=true -ti ubuntu:14.10 touch /tmp/foo
touch: cannot touch '/tmp/foo': Read-only file system
How is this supposed to work? There is little to no information on how this feature works. Can you give me a pointer?
In addition, restart:on-failure appears to have issues if docker itself crashes.