Skip to content

Improve docker container security

Jump to bottom
mviereck edited this page Oct 15, 2018 · 5 revisions

How to improve container security

  • Avoid root in container. Create an unprivileged user in container, e.g. with --user 1000:1000 or with a custom /etc/passwd file.
  • Drop all capabilities with --cap-drop ALL.
    • Add only those capabilities your application needs indeed (if any) with e.g. --cap-add CHOWN.
    • Avoid capabilitiy SYS_ADMIN that would allow root-like powers.
    • Compare man capabilities and docker documentation about capabilities.
  • Forbid gaining privileges in container (e.g. with su) with option --security-opt no-new-privileges.
  • Mount container root file system read-only and only allow rw access for /tmp with --read-only --tmpfs /tmp.
  • Do NOT use --privileged. If you want to give access to specific devices, use e.g. --device /dev/snd.

Basics

Wiki home page

Output of x11docker --help

Dependencies

Option details

X server options

Setup for --xorg

Init systems

Special setups with x11docker

Packaging x11docker

Installation on MS Windows

NVIDIA driver

Interactive docker build

Display manager entry

Access new X server

Multiarch setups

SSH access

HTML5 web applications

VNC access

Setups without x11docker

How to provide X display

How to: X authentication

How to provide Wayland

How to set up sound

How to set up GPU

How to share webcam

How to access CUPS printer

How to: X over TCP/IP

How to access host DBus

How to improve security

How to bypass SELinux

Clone this wiki locally