Install the app
How to install the app on iOS

Follow along with the video below to see how to install our site as a web app on your home screen.

Note: This feature may not be available in some browsers.

Securing Docker containers

As an Amazon Associate, we may earn commissions from qualifying purchases. Learn more...

Namaste

Subscriber
38
8
Hi there!

Being a "NAS hobbyist" and not a professional, I followed several tutorials that allowed me to set up nice Docker containers that I run and manage with Portainer. These services are all unrelated to the data stored on my NAS (e.g. FreshRSS, rallly, traccar, etc).

I am not sure how much the tutorials I followed really care about security, nor if the containers I downloaded and use are 100% trustworthy or not (let's even say 90%). So I want to "secure" these containers as much as possible and make sure that none of them can get access to the other shared folders on the NAS, nor to my LAN. I have searched the internet for this, but all the information I find is too complex for me to understand and apply.

Do you guys have any advice on "securing Docker containers" (what are the most important points to check and secure) and maybe some easy-to-understand instructions on how to do it?

Thank's for your help!
Y
 
Try and use the --user docker parameter to tell the container to run as a specific user/group. That can use with a specific DSM account that can have access to only specific folders for that particular container.

Mapping container with that users ID will essentially sandbox the container to that specific user > local folder (that is volume bind).

Creating a new DSM user will create a new user ID like 1028, 1029 etc.. So you can use user: 1028:100 in the compose file to limit the container to user ID 1028, and group ID to 100 (aka "users" or 101 for admin group)
 
Upvote 1
Some additional settings that can be tweaked when creating a container from the command line:

- Never run a container in privileged mode

- Drop all capability:
Code:
  --cap-drop ALL
- If needed add required capabilities:
Code:
  --cap-add CAP_WHATEVER_IS_NEEDED
- Set security option to not allow new privileges:
Code:
  --security-opt no-new-privileges
- If the image allows it, make the container use a read-only file system
Code:
  --read-only
 
Upvote 1
- Drop all capability:
Code:
--cap-drop ALL
- If needed add required capabilities:
Code:
--cap-add CAP_WHATEVER_IS_NEEDED
- Set security option to not allow new privileges:
Code:
--security-opt no-new-privileges
- If the image allows it, make the container use a read-only file system
Code:
--read-only
For the docker compose aficionados… [Note the underscores, versus dashes]
Code:
services:
  redis:
    image: redis:alpine
    read_only: true
    cap_drop:
      - ALL
    cap_add:
      - WHATEVER IS NEEDED
    security_opt:
      - no-new-privileges:true

Also note the space (or lack of) preceding "true".
 
Upvote 0
Creating a new DSM user will create a new user ID like 1028, 1029 etc.. So you can use user: 1028:100 in the compose file to limit the container to user ID 1028, and group ID to 100 (aka "users" or 101 for admin group)
Do realize, that enabling any user to run docker containers is largely the same as giving that user full root access.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Popular tags from this forum

Similar threads

There must be already be some sort of dependency, as the deluge service joins the network namespace of the...
Replies
6
Views
891
Ok got this running.. But how do I specify the custom_user/password settings in the yaml-file? EDIT...
Replies
7
Views
1,274
For the heck of it, I just checked again in docker container, and it announced an update was available. I...
Replies
4
Views
1,137
Hello, I already have it configured perfectly with wireguard. I was looking at the Gluetun configuration...
Replies
4
Views
1,778
Thanks... I tried something similar with rsync. The docker volume lived in...
Replies
7
Views
2,221
I can’t find any option to restore just the settings. 1710356648 Phew, managed to fix it. Within the...
Replies
4
Views
1,540

Thread Tags

Tags Tags
docker

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending content in this forum

Back
Top