Securing Docker containers

Currently reading
Securing Docker containers

Hi there!

Being a "NAS hobbyist" and not a professional, I followed several tutorials that allowed me to set up nice Docker containers that I run and manage with Portainer. These services are all unrelated to the data stored on my NAS (e.g. FreshRSS, rallly, traccar, etc).

I am not sure how much the tutorials I followed really care about security, nor if the containers I downloaded and use are 100% trustworthy or not (let's even say 90%). So I want to "secure" these containers as much as possible and make sure that none of them can get access to the other shared folders on the NAS, nor to my LAN. I have searched the internet for this, but all the information I find is too complex for me to understand and apply.

Do you guys have any advice on "securing Docker containers" (what are the most important points to check and secure) and maybe some easy-to-understand instructions on how to do it?

Thank's for your help!
Y
 
Try and use the --user docker parameter to tell the container to run as a specific user/group. That can use with a specific DSM account that can have access to only specific folders for that particular container.

Mapping container with that users ID will essentially sandbox the container to that specific user > local folder (that is volume bind).

Creating a new DSM user will create a new user ID like 1028, 1029 etc.. So you can use user: 1028:100 in the compose file to limit the container to user ID 1028, and group ID to 100 (aka "users" or 101 for admin group)
 
Upvote 1
Some additional settings that can be tweaked when creating a container from the command line:

- Never run a container in privileged mode

- Drop all capability:
Code:
  --cap-drop ALL
- If needed add required capabilities:
Code:
  --cap-add CAP_WHATEVER_IS_NEEDED
- Set security option to not allow new privileges:
Code:
  --security-opt no-new-privileges
- If the image allows it, make the container use a read-only file system
Code:
  --read-only
 
Upvote 1
- Drop all capability:
Code:
--cap-drop ALL
- If needed add required capabilities:
Code:
--cap-add CAP_WHATEVER_IS_NEEDED
- Set security option to not allow new privileges:
Code:
--security-opt no-new-privileges
- If the image allows it, make the container use a read-only file system
Code:
--read-only
For the docker compose aficionados… [Note the underscores, versus dashes]
Code:
services:
  redis:
    image: redis:alpine
    read_only: true
    cap_drop:
      - ALL
    cap_add:
      - WHATEVER IS NEEDED
    security_opt:
      - no-new-privileges:true

Also note the space (or lack of) preceding "true".
 
Upvote 0
Creating a new DSM user will create a new user ID like 1028, 1029 etc.. So you can use user: 1028:100 in the compose file to limit the container to user ID 1028, and group ID to 100 (aka "users" or 101 for admin group)
Do realize, that enabling any user to run docker containers is largely the same as giving that user full root access.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

For the heck of it, I just checked again in docker container, and it announced an update was available. I...
Replies
4
Views
652
Hello, I already have it configured perfectly with wireguard. I was looking at the Gluetun configuration...
Replies
4
Views
907
Thanks... I tried something similar with rsync. The docker volume lived in...
Replies
7
Views
910
I can’t find any option to restore just the settings. 1710356648 Phew, managed to fix it. Within the...
Replies
4
Views
699
Good to hear. Deluge has not been updated for almost two years now as an app, nevertheless. But it gives...
Replies
12
Views
1,397
  • Question
Open an issue on that GitHub page. The developers will be glad to assist. OP has posted two threads on...
Replies
5
Views
1,342
I'm happy with email notifications but in v0.3.3 of dockcheck the author added apprise notifications...
Replies
4
Views
1,632

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top