Strengthening Docker Security: Best Practices and Hands-On Lab

Voiced by Amazon Polly

Docker has revolutionized the deployment of containerized applications, offering portability, scalability, and ease of use. However, the growing reliance on containers makes it essential to focus on securing these environments. This blog will discuss key Docker security practices, highlight common vulnerabilities, and guide you through a hands-on lab to implement these security measures effectively.

Become an Azure Expert in Just 2 Months with Industry-Certified Trainers

Career-Boosting Skills
Hands-on Labs
Flexible Learning

Enroll Now

Section 1: Understanding Docker Security

Why Securing Docker Matters: While containers are known for their lightweight and portable nature, they can expose vulnerabilities if not properly secured. Container misconfigurations, outdated images, and weak networking setups can become entry points for attackers. Docker security requires a layered approach that ensures isolation between containers, maintains the integrity of images, and fortifies runtime defences.

Common Security Risks in Docker:

Insecure Images: Docker images can contain outdated or vulnerable software or even malicious code.
Privilege Escalation: Running containers as root can allow attackers to gain control of the host system.
Excessive Network Access: Allowing unrestricted communication between containers can lead to unauthorized access or privilege escalation.
Insufficient Logging: Without proper logging, it’s difficult to detect or track suspicious activity.

Section 2: Docker Security Best Practices

Choose Trusted Images:

- Always pull images from reputable sources such as the Docker Hub or official repositories.
- Use tools like Docker Content Trust to validate image authenticity through signatures.
Apply the Principle of Least Privilege:
- Avoid running containers as root.
- Use the USER directive in Dockerfiles to set a non-root user.
- At runtime, utilize Docker’s –user flag to assign a user to the container.
Stay Up-to-Date with Docker and Images:
- Regularly update Docker to the latest stable version.
- Continuously scan images for vulnerabilities with tools like Trivy or Clair.
Implement Network Isolation:
- Leverage Docker’s network isolation features to limit container communication, especially when unnecessary.
- Create isolated networks and configure firewalls to control access between containers.
Activate Logging and Monitoring:
- Enable container logs to track activity and identify abnormal behaviors.
- Integrate with external monitoring tools (e.g., Prometheus, Grafana) to enhance visibility.
Set Resource Limits:
- Use the –memory and –cpus flags to set CPU and memory limits, preventing resource exhaustion attacks.

Section 3: Docker Security Lab - Securing a Dockerized Application

This lab aims to walk through securing a simple web application running in a Docker container.

Prerequisites:

Docker installed on your local machine or VM.
Basic knowledge of Docker commands.

Step 1: Create a Basic Dockerized Web Application: Start by creating Dockerfile with the following contents:

FROM node:14

WORKDIR /usr/src/app

COPY . .

RUN npm install

EXPOSE 8080

CMD ["node", "app.js"]

Create a simple app.js file to run a web server:

const express = require('express');

const app = express();

const port = 8080;




// Simulated secret

const secretKey = '12345-SECRET-API-KEY-67890';




app.get('/', (req, res) =&gt; {

  res.send('Hello, Docker!');

});




app.get('/secret', (req, res) =&gt; {

  res.send(`The secret key is: ${secretKey}`);

});




app.listen(port, () =&gt; {

  console.log(`App running at http://localhost:${port}`);

});

FROM node:14

WORKDIR /usr/src/app

COPY . .

RUN npm install

EXPOSE 8080

CMD ["node", "app.js"]

Create a simple app.js file to run a web server:

const express = require('express');

const app = express();

const port = 8080;

// Simulated secret

const secretKey = '12345-SECRET-API-KEY-67890';

app.get('/', (req, res) => {

res.send('Hello, Docker!');

});

app.get('/secret', (req, res) => {

res.send(`The secret key is: ${secretKey}`);

});

app.listen(port, () => {

console.log(`App running at http://localhost:${port}`);

});

Build the Docker image:

 docker build -t secure-web-app .

1	docker build -t secure-web-app .

Run the container:

docker run -d -p 8080:8080 secure-web-app

1	docker run -d -p 8080:8080 secure-web-app

Step 2: Scan the Image for Vulnerabilities

Now, let’s scan the image for vulnerabilities using a tool like Trivy.

Install Trivy if you haven’t already (ubuntu):

sudo apt-get install wget apt-transport-https gnupg lsb-release

1	sudo apt-get install wget apt-transport-https gnupg lsb-release

wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -

1	wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \| sudo apt-key add -

echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list

1	echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main \| sudo tee -a /etc/apt/sources.list.d/trivy.list

sudo apt-get update

1	sudo apt-get update

sudo apt-get install trivy

1	sudo apt-get install trivy

Scan the image: trivy image –scanners vuln secure-web-app

This will report any vulnerabilities found in the image and recommend fixes (e.g., updating dependencies).

Vulnerabilities Identified:

CVE-2022-25883 (HIGH): ReDoS vulnerability in semver (fixed in version 5.7.2 or higher).
CVE-2024-28863 (MEDIUM): DoS vulnerability in node-tar (fixed in version 6.2.1 or higher).
CVE-2023-26136: Prototype pollution in tough-cookie (fixed in version 4.1.3 or higher).

Use Trivy to Scan for Secrets:

Run the following Trivy command to scan the current directory (including Dockerfile and app.js) for secrets like API keys and passwords:

trivy fs --scanners secret .

1	trivy fs --scanners secret .

Review any secrets detected in your code and take appropriate action, such as removing them or using environment variables for sensitive data.

Section 4: Scanning Docker Images with Trivy

Trivy is a powerful open-source tool that scans container images, file systems, and Git repositories for known vulnerabilities and misconfigurations. It’s lightweight, easy to integrate into CI/CD pipelines, and offers quick, comprehensive results.

Key Features of Trivy:

Vulnerability Scanning: Detects issues in OS packages, application dependencies, and configurations.
Misconfiguration Detection: Scans Kubernetes resources and identifies misconfigurations like RBAC roles and network policies.
Secret Detection: Locates sensitive information such as API keys and passwords in Docker images.

Section 5: Implementing Docker Security Best Practices

To further enhance the security of our Dockerized application, you can implement these Docker security best practices:

Use Trusted Images
- Always pull images from trusted sources like Docker Hub, Red Hat, or official repositories.
- Use tools like Docker Content Trust to ensure images are signed and verified.

Action: Ensure that your Dockerfile references official or trusted base images like node:14.

Run Containers with Least Privilege
- Avoid running containers with root privileges.
- Use the USER directive in Dockerfiles to specify a non-root user for containers.
- Use Docker’s –user flag to assign a user at runtime.

Action: Modify your Dockerfile to use a non-root user for the container:

RUN addgroup --system appgroup &amp;&amp; adduser --system --ingroup appgroup appuser
USER appuser

1 2	RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser USER appuser

Keep Docker and Images Up-to-Date
- Always use the latest stable Docker version.
- Regularly scan images for vulnerabilities using tools like Clair or Anchore.

Action: Keep your system and Docker installation updated. Additionally, regularly scan your images for vulnerabilities.

Network Isolation
- Use Docker’s network isolation to restrict container communication unless necessary.
- Set up private networks and use Docker’s built-in firewall features.

Action: Create a private network for your application container:

docker network create --driver bridge secure_network

1	docker network create --driver bridge secure_network

docker run -d -p 8080:8080 --network secure_network secure-web-app

1	docker run -d -p 8080:8080 --network secure_network secure-web-app

Enable Logging and Monitoring
- Enable logging for containers to monitor activity and catch suspicious actions.
- Integrate with external monitoring systems (e.g., Prometheus, Grafana) for more visibility.

Action: Enable Docker container logs by default:

docker run --log-driver=json-file -d -p 8080:8080 secure-web-app

1	docker run --log-driver=json-file -d -p 8080:8080 secure-web-app

Enable Resource Limits
- Set CPU and memory limits using –memory and –cpus flags to prevent resource exhaustion attacks.

Action: Limit resources for the container:

docker run -d -p 8080:8080 --memory="500m" --cpus="1" secure-web-ap

1	docker run -d -p 8080:8080 --memory="500m" --cpus="1" secure-web-ap

Conclusion

Securing Docker environments is essential to protect your applications from potential security breaches. By following best practices, such as using trusted images, enforcing least privilege, enabling logging, and regularly updating your images, you can ensure the integrity and safety of your containerized applications. The hands-on lab demonstrates how to apply these practices to secure a Dockerized application effectively.

Enhance Your Productivity with Microsoft Copilot

Effortless Integration
AI-Powered Assistance

Get Started Now

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.