Build a secure Docker host environment on Linux systems

Start at the host layer

Run the latest stable OS release and patches on container hosts. Unlike VMs, containers share host OS resources and files, so a security issue could affect the entire Docker estate. OS management isn't difficult for enterprise IT teams, but approach with caution -- review all documentation prior to committing an update for Docker hosting systems. Virtual snapshots are a useful tool for this process, providing a log of changes and a rollback target if needed.

Application security is only as good as what's on the stack below it. Assess the security settings on the host in question. Anyone with administrator-level access to the OS can manipulate the containers in the default configuration. Administrators should use keys for remote login to increase the environment's security level. In addition, implement a firewall, and restrict access to only trusted networks. Keep the attack surface to a minimum.

Audits work hand in hand with security. Don't ignore system audits until the information is needed -- it won't be available, because it hasn't been recorded. Engage in a strong log monitoring and management process that terminates in a dedicated log storage host, with restricted access.

In the same vein, Docker host systems should run only Docker containers. A host should run as few services as possible. Non-Docker services can, if necessary, be converted to containers to abstract them away from the host OS and other containers on the system.

Create a secure Docker environment

Administrators can take simple steps to stabilize container operations. Keep the /var/lib/docker directory partitioned within the system. This separation ensures that any storage space issues within the Docker environment won't crash the OS and consequently take out all the containers on that host. Use logical volume management to ease storage allocation. It virtualizes storage partitioning to share resources effectively across multiple workloads.

A secure Docker setup also depends on vigilance regarding images, which are the static packages of code, dependencies and libraries needed for a container to run. Not all Docker images are to be trusted. Build Docker images in-house to ensure that developers and users get only what the image is meant to have. This assuages security concerns -- and paranoia -- and provides the opportunity for image optimization because the organization is the only target user.

If custom image builds are out of your organization's wheelhouse, or not always needed, use official builds only. For example, download the Ubuntu Docker image from the official repository. Unofficial builds aren't necessarily wrong but might not meet the user's expectations and reliability demands -- and some third-party images are intentionally fraudulent or malicious.

Avoid infiltration of erroneous or malicious container images through a global content trust requirement. Trusted images come from a verified source -- such as Docker's official repository on Docker Hub -- and can be built upon for finely tuned control over the environment. Enable the content trust flag globally to prevent potentially dangerous images from sneaking in uninvited.

Many aspects of basic Docker security boil down to good computer hygiene and common sense: Tighten down the virtual hatches, run only the minimum necessary services and applications and restrict host access to only those users who need it. And always be careful what you download.