Security

Docker is only supported when used as a root daemon with full control over networking, but there is some merit to closing security gaps by running in an unsupported mode or configuration.

Rootless Mode

It is furthermore possible to avoid the use of root entirely. This requires extensive configuration.

On Arch Linux, install the fuse-overlayfs and slirp4netns packages as well as the docker-rootless-extras AUR package.

On Debian or Ubuntu, install the uidmap, dbus-user-session, fuse-overlayfs, and slirp4netns packages. Ensure that slirp4netns --version is greater than v0.4.0.

Configure /etc/subuid with a user name, UID range start, and UID range size.

somebody:165536:65536

Similarly, configure /etc/subgid like:

somebody:165536:65536

Enable docker.socket and set the DOCKER_HOST environment variable to the socket path. (Typically unix://$XDG_RUNTIME_DIR/docker.sock.)

Exposed Ports

Docker necessarily interferes with iptables, and the only supported mode of operation is for it to install two chains (DOCKER-USER and DOCKER) which are evaluated ahead of all other rules. Docker itself uses the DOCKER chain, while the former exists for any local rules that must be evaluated first.

To disable this functionality (again: unsupported), set iptables to false in the Docker engine configuration file (/etc/docker/daemon.json).

To restrict access to a container, try:

iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP

The target can be either a specific address or a subnet, as shown above.

CategoryRicottone