TechQA.

Locking down a docker container

105 views Asked by At

I'm currently creating a service to run third party docker images/containers.

As part of this process, I am locking the down the create-container configuration on my host, to reduce the risk of malicious/rogue behaviour.

Using the following the owasp guide and the Docker API Docs I've managed to mostly lock down the create-container configuration.

My question:

  1. If the network for the container is disabled/none, would I need to disable Inter-Container Communication as well (to stop containers seeing each other)?

(and there any glaring omissions from this configuration?)

Create Configuration

i.e. disable networking, limit logging, limit disk/memory/cpu/caps/ulimits, disable restart, lockdown rootfs

{
  ... Image / Cmd / Env ...

  NetworkDisabled: true,
  HostConfig: {
    LogConfig: {
      Type: 'json-file',
      Config: { 'max-size': '1m', 'max-file': '1' }
    },
    NetworkMode: 'none',
    RestartPolicy: { Name: 'no' },
    Privileged: false,
    PublishAllPorts: false,
    IpcMode: 'none',
    CgroupnsMode: 'private',
    CpuPercent: 20,
    Memory: _1GB_IN_BYTES * 2,
    CapDrop: ['ALL'],
    CapAdd: ['CHOWN'],
    Ulimits: [
      { Name: 'nofile', Soft: 1024, Hard: 2048 },
      { Name: 'nproc', Soft: 128, Hard: 256 }
    ]
  }
}

Note: I could not limit the disk usage (aka StorageOpt: { size: '1G' }), due to the following error:

--storage-opt is supported only for overlay over xfs with 'pquota' mount option

docker security owasp docker-api
Original Q&A
0

There are 0 answers

Related Questions in DOCKER

Related Questions in SECURITY

Related Questions in OWASP

Related Questions in DOCKER-API

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions