|
⇤ ← Revision 1 as of 2021-03-16 01:44:41
Size: 871
Comment:
|
Size: 1083
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 11: | Line 11: |
| == Running as Non-Root == ---- == Rootless Mode == It is furthermore possible to avoid the use of `root` entirely. This requires extensive configuration. TODO: copy from Arch Wiki ---- |
|
| Line 15: | Line 31: |
| To disable this functionality (note: unsupported), set `iptables` to `false` in the Docker engine configuration file (`/etc/docker/daemon.json`). | To disable this functionality (again: unsupported), set `iptables` to `false` in the Docker engine configuration file (`/etc/docker/daemon.json`). |
Security
Docker is a clean interface on top of a messy system. There are a number of security 'gotchas' to be aware of.
Running as Non-Root
Rootless Mode
It is furthermore possible to avoid the use of root entirely. This requires extensive configuration.
TODO: copy from Arch Wiki
Exposed Ports
Docker necessarily interferes with iptables, and the only supported mode of operation is for it to install two chains (DOCKER-USER and DOCKER) which are evaluated ahead of all other rules. Docker itself uses the DOCKER chain, while the former exists for any local rules that must be evaluated first.
To disable this functionality (again: unsupported), set iptables to false in the Docker engine configuration file (/etc/docker/daemon.json).
To restrict access to a container, try:
iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP
The target can be either a specific address or a subnet, as shown above.