5.2 Lab - Docker Security

Introduction

This hands-on lab is designed to give you practical experience with implementing Docker security best practices. Focused on enhancing the security posture of your Docker containers and images, this lab will guide you through configuring secure container runtimes, managing container access, and ensuring image security. Using the Nano editor in a Linux environment, you will modify configuration files and apply security measures directly to Docker containers and images.

Objectives

• Implement container runtime security best practices.
• Secure Docker images and manage container access.
• Understand how to apply security configurations using the Nano editor.

Lab Steps

Step 1: Preparing Your Environment

• Ensure Docker is installed on your Linux system. If not, install Docker and the Nano editor using your distribution's package manager.

Step 2: Running Containers with a Non-root User

• Create a Dockerfile using Nano to build an image that runs as a non-root user.

  nano Dockerfile
  

• Add the following content to the Dockerfile:

  FROM nginx:latest
  RUN useradd -m myuser
  USER myuser
  

• Save and exit Nano (CTRL+O, Enter, CTRL+X).
• Build the image:

  docker build -t nginx-non-root .
  

Step 3: Limiting Container Resources

• Run a container from the nginx-non-root image, limiting its memory and CPU usage:

  docker run --name secure-nginx --memory=512m --cpus=1 -d nginx-non-root
  

Step 4: Implementing Read-Only Filesystems

• Run a container with a read-only filesystem to prevent modifications:

  docker run --name readonly-nginx --read-only -d nginx-non-root
  

• Attempt to create a file inside the container to validate the read-only setting:

  docker exec readonly-nginx touch /tmp/testfile
  

• The operation should fail, indicating the filesystem is read-only.

Step 5: Enabling Docker Content Trust

• Enable Docker Content Trust by setting an environment variable in your session:

  export DOCKER_CONTENT_TRUST=1
  

• Try pulling an image from a repository. Docker Content Trust will ensure the images are signed and verified:

  docker pull nginx:latest
  

Summary

In this lab, you've taken significant steps to secure your Docker containers and images. By running containers as a non-root user, you've minimized the potential impact of a container breach. Limiting container resources and implementing read-only filesystems are crucial practices for maintaining the integrity and stability of your Docker environment. Finally, enabling Docker Content Trust ensures that only signed and verified images are used, further enhancing the security of your containerized applications. These practices form the foundation of a secure Docker deployment, illustrating the importance of security considerations in containerized environments.