Containerization brings some oddities that are easy to overlook in terms of security. Here are three easy things to secure your container a bit more:
1. Don’t use root
By default, when you run a docker container you will be running all commands as root. In your Dockerfile, switch to a non-privileged user before starting your application. This is because the user in a docker container will run as the same user on the host system if they break out of the container. E.g. if a vulnerability is exploited in your application that is running as root, the attacker can get a root shell and break out of the container, and gain root access to the host machine.
Example Dockerfile:
FROM debian
# install your deps and application...
RUN apt-get update
RUN apt-get install -y libssl-dev libmysqlclient-dev
# ...then create a new user and switch to it
RUN groupadd -r mygroup && useradd -r -g mygroup myuser
RUN chown -R myuser /myapp
USER myuser
# ...finally run your application using the non-privileged user:
RUN /myapp/start.sh2. Limit resource usage
Limit the amount of available memory, since containers don’t have limits on how much they can consume, so a DoS can be performed where the app hogs all memory on the host and all running…