Well, hi everyone, the truth is that to take into account the security and control of resources when putting into production a container-based architecture, you have to read a lot, because by default a container is deployed with everything enabled by default. It can use all the memory, CPU, disk access, and if you are not careful you can even assume that the root user does all the tasks. Obviously we have to avoid all that.
There is a lot to read, be advised! Thank you Bret Fisher.
https://docs.docker.com/engine/security/
Security tools
https://sysdig.com/blog/20-docker-security-tools/
Bret Fisher´s security concerns
https://github.com/BretFisher/ama/discussions/150
Secure computing mode (seccomp
)
https://docs.docker.com/engine/security/seccomp/
AppArmor (Application Armor)
https://docs.docker.com/engine/security/apparmor/
docker-bech-security
https://github.com/docker/docker-bench-security
A Dockerfile sample showing how to use a not root user.
https://github.com/BretFisher/dockercon19/blob/master/1.Dockerfile
Official guide about how to use USER directive.
https://docs.docker.com/engine/reference/builder/#user
User namespaces!
https://docs.docker.com/engine/security/userns-remap/
Container vulnerabilities database
Find and fix security vulnerabilities
https://www.paloaltonetworks.com/prisma/cloud
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
https://github.com/aquasecurity/trivy
Threat detection for easier security policy management across containers
https://sysdig.com/opensource/falco/
Content trust in Docker
https://docs.docker.com/engine/security/trust/
Seccomp security profiles for Docker
https://docs.docker.com/engine/security/seccomp/
AppArmor security profiles for Docker
https://docs.docker.com/engine/security/apparmor/
Rootless mode (Experimental)
https://github.com/docker/engine/blob/v19.03.0-rc3/docs/rootless.md
Experimenting with Rootless Docker
Hardening Docker daemon with Rootless mode
# Docker CE for Linux installation script (Rootless mode) https://get.docker.com/rootless
“Distroless” Docker Images