HiveBrain v1.2.0
Get Started
← Back to all entries
patterndockerMajor

What are best and comprehensive practices to consider when running docker in production?

Submitted by: @import:stackexchange-devops··
0
Viewed 0 times
whatproductionaredockerconsidercomprehensiverunningpracticeswhenand

Problem

Finally, you are so much in love with Docker that you want to move your online business-critical production systems with sensitive customer data to a Docker Swarm. Some might even already have done so. The other organization can't afford it by a policy forbidding production processes running in root mode.

What could be a checklist of building blocks to consider for a Docker production environment? One does not need all of them, but all of them should be important to be assessed.

Disclaimer: I know there is a SE policy to avoid "large endless lists" but I think this checklist cannot be very big... and endless noway.

So - what are these buildings blocks?

  • If not already deployed, consider running a Linux host system with advanced


security settings - hardened kernel, SELinux etc.

  • Consider using a tiny Docker base image, like alpine, busybox or even scratch e.g. start with an empty base image



  • Use USER setting other than root



  • Carefully assess to further reduce the already shrinked set of kernel capabilities granted to container



  • Consider having only one executable binary per container to launch your process, ideally statically linked



  • Those who want to break your system to get a shell access might wonder if they found out your container has all shells disabled



  • Mount read-only volumes where only possible



Question: what else?

Solution

The host on which the containers are running

Run the docker security bench on every node that runs docker containers https://github.com/docker/docker-bench-security

Running the following command on a node that runs docker containers:

docker run -it --net host --pid host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security


returns a list of checks:

[INFO] 1 - Host Configuration

[WARN] 1.1  - Ensure a separate partition for containers has been created

[NOTE] 4.2  - Ensure that containers use trusted base images

[PASS] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image


Quote from the repository README:


The Docker Bench for Security is a script that checks for dozens of
common best-practices around deploying Docker containers in
production. The tests are all automated, and are inspired by the CIS
Docker Community Edition Benchmark
v1.1.0.

Some of the issues that are reported by the security bench could be solved by reading the official docker security article and comparing it with the bullets that are defined in the question the following things are important as well:

  • protect the docker daemon socket by implementing ssl



  • content trust using notary and DOCKER_CONTENT_TRUST variable

Code Snippets

docker run -it --net host --pid host --cap-add audit_control \
    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
    -v /var/lib:/var/lib \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v /usr/lib/systemd:/usr/lib/systemd \
    -v /etc:/etc --label docker_bench_security \
    docker/docker-bench-security
[INFO] 1 - Host Configuration

[WARN] 1.1  - Ensure a separate partition for containers has been created

[NOTE] 4.2  - Ensure that containers use trusted base images

[PASS] 4.6  - Ensure HEALTHCHECK instructions have been added to the container image

Context

StackExchange DevOps Q#1943, answer score: 24

Revisions (0)

No revisions yet.