Documentation

Security Hardening During Docker Container Running

To ensure secure running of the container, configure the following capability items based on service requirements. For details, see the official description.

  • Enable the AppArmor capability. You can specify the AppArmor file when running the container to protect the Linux system and applications, because AppArmor provides security policies. Before enabling the AppArmor capability, enable the AppArmor function of the Linux kernel.
  • Enable the SELinux capability. You can specify the SELinux configuration when running the container to improve security. Before enabling this function, you need to use --selinux-enabled to make the configuration take effect in the Docker daemon.
  • Enable the live restoration function. You need to set --live-restore to depend less on the Docker daemon.
  • Set system resource quotas for the container to prevent the container from exhausting the resources. System resources include but are not limited to CPU and memory.
  • Do not run untrusted applications in the container.
  • Do not listen to unnecessary ports in the container.
  • Configure a proper CPU priority for the container.
  • Mount the root file system of the container in read-only mode.
  • Bind the imported container traffic to a specific host interface and configure a specified IP address for the port mapping of the container.
  • If the all-zero port mapping container is deployed in an earlier AtlasEdge version, after the version is updated and the container is smoothly ported, an all-zero network exists on the host for listening, which poses security risks. You are advised to change the host IP address mapped to the container port and deploy the container again.
  • Limit the number of file handles and fork processes used for container running.
  • Enable the authentication and encrypted transmission mechanisms for container service ports for external listening to prevent service data from being stolen.
  • Do not run the SSH server in the container.
  • Do not share namespaces, including the network namespace, UTS namespace, and user namespace.
  • Do not mount docker.sock to the container.
  • Prevent sensitive information from being transmitted through environment variables and ConfigMaps during container deployment to avoid sensitive data leakage.
  • Ensure that no user is added to the Docker user group.
Parent topic: Common Measures