tbhaxor/docker-best-practices.txt

## docker-best-practices.txt
# docker engine
docker unix socket should be runnining on with approperiate permissions, root user and docker group
allow only authorized users to have the
tcp and unix can run in both mode
unix socket is more secure if private docker setup
expose tcp socket with authentication and tls certs
implement firewall plugin and configure it properly

# in container
do not give excesive capabilities or privileged access
refrain bind mounts, use volumnes
do not run with root user (if vulnerability found hard for escape)
do not mount docker socket or tcp inside container
user namespace remapping (mapping user id 0 from container to some random non-existing uid on host)
configure apparmor and secomp confined container

# for registry
trust the docker registry content using export DOCKER_CONTENT_TRUST=1
encrypt registry data with tls and add basic authentication
	# docker engine
	docker unix socket should be runnining on with approperiate permissions, root user and docker group
	allow only authorized users to have the
	tcp and unix can run in both mode
	unix socket is more secure if private docker setup
	expose tcp socket with authentication and tls certs
	implement firewall plugin and configure it properly

	# in container
	do not give excesive capabilities or privileged access
	refrain bind mounts, use volumnes
	do not run with root user (if vulnerability found hard for escape)
	do not mount docker socket or tcp inside container
	user namespace remapping (mapping user id 0 from container to some random non-existing uid on host)
	configure apparmor and secomp confined container

	# for registry
	trust the docker registry content using export DOCKER_CONTENT_TRUST=1
	encrypt registry data with tls and add basic authentication