One of the valuable aspects to Docker Images is the ability to sign them. This allows the validation of integrity and trust of an Image.
Docker achieves this using Docker Notary
- Know what is in the code base
- Understand the libraries, and it origin
- Know what is in your containers
- Docker Image Authenticity - Do you know the source?
- Avoid noisy neighbours - Help survive DDoS attacks.
- Running containers in super-priviledged mode might be unnecessary
- Limit container resources to limit exposure to DDoS attacks.
- Use Docker Security Bench
Set Resource Limits
What happens when a container goes awry and begins to consumer all of your host's resources? This is certainly not a recipe for success and security. You can actually set resource limits for your individual containers right from the run command. For example, say you want to limit a container to 1GB of memory, you can add the —memory="1000M" option to the run command. You can also limit the number of CPUs with the addition of the —cpus=X (Where X is the number of CPUs you want available to your container).
Use Docker Bench Security
There's a very handy script you can run against your Docker server that will check:
- Host Configuration
- Docker Daemon Configuration
- Docker Daemon Configuration Files
- Container Images and Build Files
- Container Runtime
Docker Bench Security should be considered a must-use script. Here's how you use it:
Open up a terminal window on your Docker server Download the script with the command git clone
Change into the newly created directory with the command cd docker-bench-security Run the script with the command sudo sh docker-bench-security.sh You will see quite a lot of information pass by as the script checks itself against Docker. The script will report Info, Warning, and Pass notes for every check (Figure C). From that information, you can act accordingly to further secure your Docker server and containers.