An overview of the
Recommended system project deployment to Ali Cloud, after passing Standard Docker Security Baseline Check, found several Security vulnerabilities. Most of them are docker service configuration problems, recorded for reference.
The problem
There are mainly the following 5 vulnerabilities to be fixed:
checkpoint | Check the type |
---|---|
Restrict network connections between containers | Service configuration |
Limit container memory usage | Service configuration |
Enable Docker content trust mechanism | Service configuration |
The mount container root file system is in read-only mode | Service configuration |
Audit Docker files and directories | Security audit |
The solution
1. Restrict network interconnection between containers
-
Description:
By default, all network traffic is allowed between containers on the same host. If not desired, restrict all the inter container communication. Link specific containers together that require inter communication.By default, unrestricted network traffic is enabled between all containers on the same host. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to unintended and unwanted disclosure of information to other containers. Hence, restrict the inter container communication.
-
Recommended scheme:
Run the docker in daemon mode and pass ‘–icc=false’ as argument. For Example
/usr/bin/dockerd --icc=false Copy the code
If you use systemctl to manage the docker service, you need to edit it.
/usr/lib/systemd/system/docker.service Copy the code
Add the
--icc=false
option to theExecStart
parameter in the file. restart dockerdsystemctl daemon-reload systemctl restart docker Copy the code
2. Limit container memory usage
-
Description:
By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as memory limit, you can control the amount of memory that a container may consume.
By default, container can use all of the memory on the host. You can use memory limit mechanism to prevent a denial of service arising from one container consuming all of the host’s resources such that other containers on the same host cannot perform their intended functions. Having no limit on memory can lead to issues where one container can easily make the whole system unstable and as a result unusable. -
Recommended scheme:
Run the container with only as much memory as required. Always run the container using the ‘–memory’ argument. You should start the container as below:
docker run --interactive --tty --memory 256m <Container Image Name or ID> Copy the code
3. Enable the Docker content trust mechanism
-
Description:
Content trust is disabled by default. You should enable it. Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the integrity and publisher of specific image tags. This ensures provenance of container images
-
Recommended scheme:
To enable content trust in a bash shell, enter the following command: export DOCKER_CONTENT_TRUST=1
Alternatively, set this environment variable in your profile file so that content trust in enabled on every login.
Content trust is currently only available for users of the public Docker Hub. It is currently not available for the Docker Trusted Registry or for private registries.
4. The root file system of the mount container is in read-only mode
-
Description:
The container’s root file system should be treated as a ‘golden image’ and any writes to the root filesystem should be avoided. You should explicitly define a container volume for writing. You should not be writing data within containers. The data volume belonging to a container should be explicitly defined and administered. This is useful in many cases where the admin controls where they would want developers to write files and errors.
-
Recommended scheme:
docker run --interactive --tty --read-only --volume <writable-volume> <Container Image Name or ID> <Command>
If you are a container arranged by k8s or other container orchestration software, please configure it according to the corresponding security policy or ignore it.
5. Audit Docker files and directories
-
Description:
Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with ‘root’ privileges. Its behavior depends on some key files and directories. /var/lib/docker is one such directory. It holds all the information about containers. It must be audited.Such as /var/lib/docker, /etc/docker, docker.service, docker.socket, /usr/bin/docker-containerd, /usr/bin/docker-runc, etc.
-
Recommended scheme:
Add the line as below in /etc/audit/audit.rules and /etc/audit/rules.d/audit.rules files:
-w /usr/bin/docker -k docker -w /var/lib/docker -k docker -w /etc/docker -k docker -w /usr/lib/systemd/system/docker.service -k docker -w /usr/lib/systemd/system/docker.socket -k docker -w /usr/bin/docker-containerd -k docker -w /usr/bin/docker-runc -k docker Copy the code
Then, restart the audit daemon. For example
service auditd restart Copy the code