= Docker Security = `dockerd(8)` is only supported when used as a `root` daemon with full control over networking, but there is some merit to closing security gaps by running in an unsupported mode or configuration. <> ---- == Rootless Mode == It is furthermore possible to avoid the use of `root` entirely. This requires extensive configuration. On [[Linux/Arch|Arch Linux]], install the `fuse-overlayfs` and `slirp4netns` packages as well as the `docker-rootless-extras` AUR package. On [[Linux/Debian|Debian]] or [[Linux/Ubuntu|Ubuntu]], install the `uidmap`, `dbus-user-session`, `fuse-overlayfs`, and `slirp4netns` packages. Ensure that `slirp4netns --version` is greater than `v0.4.0`. Configure `/etc/subuid` with a user name, UID range start, and UID range size. {{{ somebody:165536:65536 }}} Similarly, configure `/etc/subgid` like: {{{ somebody:165536:65536 }}} [[Linux/Systemd|Enable]] `docker.socket` and set the `DOCKER_HOST` environment variable to the socket path. (Typically `unix://$XDG_RUNTIME_DIR/docker.sock`.) ---- == Exposed Ports == Docker necessarily interferes with `iptables`, and the only supported mode of operation is for it to install two chains (`DOCKER-USER` and `DOCKER`) which are evaluated ahead of all other rules. Docker itself uses the `DOCKER` chain, while the former exists for any local rules that must be evaluated first. To disable this functionality (again: unsupported), set `iptables` to `false` in the Docker engine configuration file (`/etc/docker/daemon.json`). To restrict access to a container, try: {{{ iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP }}} The target can be either a specific address or a subnet, as shown above. ---- CategoryRicottone