How to secure Docker containers?

· Category: Docker

Short answer

Secure Docker containers by running as non-root users, using minimal base images, dropping unnecessary capabilities, scanning for vulnerabilities, and keeping images up to date.

Steps

  1. Create a non-root user with USER in the Dockerfile.
  2. Use read-only root filesystems with --read-only.
  3. Drop capabilities with --cap-drop=ALL and add only required ones.
  4. Scan images with tools like Trivy or Clair.
  5. Enable Docker Content Trust.

Example

FROM python:3.11-slim
RUN groupadd -r appgroup && useradd -r -g appgroup appuser
WORKDIR /app
COPY --chown=appuser:appgroup . .
USER appuser
CMD ["python", "app.py"]

Run with security options:

docker run --read-only --cap-drop=ALL --security-opt=no-new-privileges myapp

Tips

  • Use seccomp profiles to restrict syscalls.
  • Run containers with resource limits to prevent DoS.
  • Keep the host Docker daemon patched and restrict API access.

Common issues

  • Running as root inside containers increases the blast radius of a compromise.
  • --read-only requires writable volumes for applications that need temp files.
  • Capability dropping can break applications that legitimately need certain privileges.