Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Docker best practices for container, engine api and registry
# docker engine
docker unix socket should be runnining on with approperiate permissions, root user and docker group
allow only authorized users to have the
tcp and unix can run in both mode
unix socket is more secure if private docker setup
expose tcp socket with authentication and tls certs
implement firewall plugin and configure it properly
# in container
do not give excesive capabilities or privileged access
refrain bind mounts, use volumnes
do not run with root user (if vulnerability found hard for escape)
do not mount docker socket or tcp inside container
user namespace remapping (mapping user id 0 from container to some random non-existing uid on host)
configure apparmor and secomp confined container
# for registry
trust the docker registry content using export DOCKER_CONTENT_TRUST=1
encrypt registry data with tls and add basic authentication
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment