Chapter 10. Docker and security

 

This chapter covers

  • The level of security Docker offers out of the box
  • What Docker has done to help make it more secure
  • What other parties are doing about it
  • What other steps can be taken to ameliorate security concerns
  • How to manage users in a multi-tenant environment

As Docker makes clear in its documentation, access to the Docker API implies access to root privileges, which is why Docker must often be run with sudo, or the user must be added to a user group (which might be called docker or dockerroot) that allows access to the Docker API.

In this chapter we’re going to look at the issue of security in Docker.

10.1. Docker access and what it means

You may be wondering what sort of damage a user can do if they can run Docker. As a simple example, this command (don’t run it!) would delete all the binaries in /sbin on your host machine (if you took out the bogus --donotrunme flag):

docker run --donotrunme -v /sbin:/sbin busybox rm -rf /sbin

It’s worth pointing out that this is true even if you’re a non-root user. This command will show you the contents of the secure shadow password file from the host system:

docker run -v /etc/shadow:/etc/shadow busybox cat /etc/shadow

10.2. Security measures in Docker

 

Technique 84 Constraining capabilities

 
 
 

Technique 85 HTTP auth on your Docker instance

 
 
 

Technique 86 Securing your Docker API

 
 

10.3. Security from outside Docker

 
 
 

Technique 87 OpenShift—an application platform as a service

 
 
 
 

Technique 88 Using security options

 
 

10.4. Summary

 
 
 
sitemap

Unable to load book!

The book could not be loaded.

(try again in a couple of minutes)

manning.com homepage
test yourself with a liveTest