Security

Docker is a clean interface on top of a messy system. There are a number of security 'gotchas' to be aware of.

Contents

  1. Security
    1. Running as Non-Root
    2. Rootless Mode
    3. Exposed Ports

Running as Non-Root

Rootless Mode

It is furthermore possible to avoid the use of root entirely. This requires extensive configuration.

TODO: copy from Arch Wiki

Exposed Ports

Docker necessarily interferes with iptables, and the only supported mode of operation is for it to install two chains (DOCKER-USER and DOCKER) which are evaluated ahead of all other rules. Docker itself uses the DOCKER chain, while the former exists for any local rules that must be evaluated first.

To disable this functionality (again: unsupported), set iptables to false in the Docker engine configuration file (/etc/docker/daemon.json).

To restrict access to a container, try: 

iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP

The target can be either a specific address or a subnet, as shown above.

CategoryRicottone