Running Docker Containers Securely in Production

  • Running a minimal image like Alpine Linux, which was designed with security in mind. The kernel is patched with an unofficial port of grsecurity. Grsecurity is a set of security enhancements to the Linux kernel which includes access control and elimination of memory corruption based vulnerabilities by minimizing the ways that a system can be attacked.
  • Enforcing resource (CPU/RAM) limits to prevent DoS attacks.
  • Configuring thread and process limits in the operating system.
  • Applying standard Linux kernel hardening procedures like sysctl hardening.
  • Running a single application per container. This is recommended because it reduces the attack surface, i.e., the amount of possible vulnerabilities for a given container is limited to those that might be present in the application on that container.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alex Baretto

Alex Baretto

More from Medium

NGINX monitoring commands

Building Kubernetes Admission Webhooks (Part 2 of 2)

What is making your Docker image bloat?

HashiCorp Vault | Getting started