文档

Dockerfile Security

A Dockerfile is a text file that contains combined image commands. It consists of four parts: basic image information (FROM), maintainer information (MAINTAINER), image operation commands (RUN, ADD, and COPY), and container startup command (CMD). Docker can create container images by reading commands in the Dockerfile. The Dockerfile is a reference sample file provided for users. After modifying the file, pay attention to the security issues of third-party software installed in the Dockerfile.

  • Do not enable the SSH service in the container.
  • Use a non-root user in the container.
  • Only necessary capabilities are granted to users to prevent security risks such as container escape caused by high-privilege users.
  • Bind the container ports to the specific host interface that the host ports require.
  • Enable the AppArmor capability. You can specify the AppArmor file when running the container to protect the Linux system and applications, because AppArmor provides security policies. Before enabling the AppArmor capability, enable the AppArmor function of the Linux kernel.
  • Enable the SELinux capability. You can specify the SELinux configuration when running the container to improve security. Before enabling this function, you need to use --selinux-enabled to make the configuration take effect in the Docker daemon.
  • Scan and rebuild images frequently and add security patches in a timely manner.
  • Ensure that the file on which the ADD operation is performed is a trusted file in the Dockerfile.
  • Do not store sensitive information in the Dockerfile.
  • Add health checks to images.
  • Do not use the update instruction alone in the Dockerfile.
  • You are advised to add a --read-only flag so that the root file system of the container is mounted in read-only mode. This flag can be used together with the container volume to force the container process to write only in the location that will be persisted. See the following example:
    docker run --interactive --tty --read-only --volume /centdata centos /bin/bash

    This will run a container that has a read-only root file system and will use centdata as the container volume for write operations.

  • Use a separate disk partition for the container, to prevent the disk space of the host from being used up, and thus prevent system exceptions.
  • Do not mount docker.sock to the container.
  • Do not run untrusted applications in the container.
  • Do not listen to unnecessary ports in the container.
  • Mount the root file system of the container in read-only mode.
  • Set system resource quotas for the container to prevent the container from exhausting the resources. System resources include but are not limited to CPU and memory.
  • Enable the authentication and encrypted transmission mechanisms for container service ports for external listening to prevent service data from being stolen.
  • Do not share namespaces, including the network namespace, UTS namespace, and user namespace.
  • Prevent sensitive information from being transmitted through environment variables and ConfigMaps during container deployment to avoid sensitive data leakage.