Docker Security Operations

This sections covers some of the operational security aspects for Docker deployments. These are best practices that should be followed. Most of the recommendations here are just reminders that organizations should extend their current security best practices and policies to include containers.

Avoid Container Sprawl

The flexibility of containers makes it easy to run multiple instances of applications and indirectly leads to Docker images that exist at varying security patch levels. It also means that you are consuming host resources that otherwise could have been used for running ‘useful’ containers. Having more than just the manageable number of containers on a particular host makes the situation vulnerable to mishandling, misconfiguration and fragmentation. Thus, avoid container sprawl and keep the number of containers on a host to a manageable total.

$ docker info
Containers: 5
Images: 21
Server Version: 1.9.1
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Backing Filesystem: extfs
 Dirs: 31
 Dirperm1 Supported: true
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 4.2.0-16-generic
Operating System: Ubuntu 15.10
CPUs: 1
Total Memory: 975.4 MiB
Name: ubuntu
ID: WLYI:SQ6A:OHOM:MBQJ:W67Z:JRQS:ZW4A:QSTI:7MWR:P5H7:PYTM:GG3S
WARNING: No swap limit support

$ docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES

As we can see above “5” containers can be seen in the docker info command but actually there are no running containers, the rest containers can be listed as shown below which are not in running state but occuping space on the host and can cause container sprawl.

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                           PORTS                           NAMES
08c82f15168a        centos              "bash"                   About an hour ago   Exited (127) About an hour ago                                   awesome_hamilton
34e34a535497        nginx               "nginx -g 'daemon off"   About an hour ago   Exited (137) About an hour ago   443/tcp, 0.0.0.0:4915->80/tcp   drunk_franklin
df006460c9d1        centos              "bash"                   3 hours ago         Exited (0) 3 hours ago                                           amazing_goldstine
39fc070bf79d        nginx               "nginx -g 'daemon off"   3 hours ago         Exited (0) About an hour ago                                     stupefied_mccarthy
30184533bb3c        hello-world         "/hello"                 5 hours ago         Exited (0) 5 hours ago                                           furious_joliot

It is always advisable to run the docker container with “rm” option so that when you exit the container it gets removed from the host as well, shown below we can see that container after the exit is not listed in “docker ps -a” option;

$ docker run --rm=true -it vkohli
[test@411323c15f38 /]$ ls
bin  etc   lib    lost+found  mnt  proc  run   srv  tmp  var
dev  home  lib64  media       opt  root  sbin  sys  usr
[test@411323c15f38 /]$ exit
exit

$ docker ps -a
CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS                           PORTS                           NAMES
08c82f15168a        centos              "bash"                   About an hour ago   Exited (127) About an hour ago                                   awesome_hamilton
34e34a535497        nginx               "nginx -g 'daemon off"   About an hour ago   Exited (137) About an hour ago   443/tcp, 0.0.0.0:4915->80/tcp   drunk_franklin
df006460c9d1        centos              "bash"                   3 hours ago         Exited (0) 3 hours ago                                           amazing_goldstine
39fc070bf79d        nginx               "nginx -g 'daemon off"   3 hours ago         Exited (0) About an hour ago                                     stupefied_mccarthy
30184533bb3c        hello-world         "/hello"                 5 hours ago         Exited (0) 5 hours ago                                           furious_joliot

In order to remove all the non-running containers from the host following command can be used;

$ docker rm `docker ps --no-trunc -aq`