I'm currently creating a service to run third party docker images/containers.
As part of this process, I am locking the down the create-container configuration on my host, to reduce the risk of malicious/rogue behaviour.
Using the following the owasp guide and the Docker API Docs I've managed to mostly lock down the create-container configuration.
My question:
- If the network for the container is disabled/
none, would I need to disable Inter-Container Communication as well (to stop containers seeing each other)?
(and there any glaring omissions from this configuration?)
Create Configuration
i.e. disable networking, limit logging, limit disk/memory/cpu/caps/ulimits, disable restart, lockdown rootfs
{
... Image / Cmd / Env ...
NetworkDisabled: true,
HostConfig: {
LogConfig: {
Type: 'json-file',
Config: { 'max-size': '1m', 'max-file': '1' }
},
NetworkMode: 'none',
RestartPolicy: { Name: 'no' },
Privileged: false,
PublishAllPorts: false,
IpcMode: 'none',
CgroupnsMode: 'private',
CpuPercent: 20,
Memory: _1GB_IN_BYTES * 2,
CapDrop: ['ALL'],
CapAdd: ['CHOWN'],
Ulimits: [
{ Name: 'nofile', Soft: 1024, Hard: 2048 },
{ Name: 'nproc', Soft: 128, Hard: 256 }
]
}
}
Note: I could not limit the disk usage (aka StorageOpt: { size: '1G' }), due to the following error:
--storage-opt is supported only for overlay over xfs with 'pquota' mount option