Security

Docker is only supported when used as a root daemon with full control over networking, but there is some merit to closing security gaps by running in an unsupported mode or configuration.

Contents

  1. Security
    1. Running as Non-Root
    2. Rootless Mode
    3. Exposed Ports

Running as Non-Root

Rootless Mode

It is furthermore possible to avoid the use of root entirely. This requires extensive configuration.

TODO: copy from Arch Wiki

Exposed Ports

Docker necessarily interferes with iptables, and the only supported mode of operation is for it to install two chains (DOCKER-USER and DOCKER) which are evaluated ahead of all other rules. Docker itself uses the DOCKER chain, while the former exists for any local rules that must be evaluated first.

To disable this functionality (again: unsupported), set iptables to false in the Docker engine configuration file (/etc/docker/daemon.json).

To restrict access to a container, try: 

iptables -I DOCKER-USER -i ext_if ! -s 192.168.1.0/24 -j DROP

The target can be either a specific address or a subnet, as shown above.

CategoryRicottone