How to deploy containers securely

How to deploy containers securely

Table of Contents

Docker rootless allows users to run Docker containers without requiring root privileges, thereby minimizing security risks. By isolating containerized applications from the host’s root environment, it reduces vulnerabilities to privilege escalation attacks, as even if a container is compromised, it cannot gain root access on the host system. This approach enhances overall system security and limits the potential damage from malicious activities.

Prerequesites

Create linux user

To create a standard user on a Linux system, you can use the command sudo adduser myuser, replacing myuser with the desired username. Follow the prompts to set a password and enter optional user information. This process adds the user to the system with standard privileges, allowing them to operate without root access.

To run docker container even if user is disconnected

sudo loginctl myuser

Disable Docker daemon

If the system-wide Docker daemon is already running, consider disabling it:

sudo systemctl disable --now docker.service docker.socket
sudo rm /var/run/docker.sock

Should you choose not to shut down the docker service and socket, you will need to use the –force parameter in the next section. There are no known issues, but until you shutdown and disable you’re still running rootful Docker.

Install

As a user with sudo access

$ filename=$(sudo -u myuser bash -c 'filename=$(echo $HOME/bin/rootlesskit | sed -e "s@^/@@g" -e "s@/@.@g"); cat <<EOF > ~/${filename}
abi <abi/4.0>,
include <tunables/global>

"$HOME/bin/rootlesskit" flags=(unconfined) {
  userns,

  include if exists <local/${filename}>
}
EOF
echo "${filename}"')

$ sudo mv /home/myuser/${filename} /etc/apparmor.d/${filename}
$ sudo systemctl status apparmor.service

Now you can connect as the standard user to install docker rootless.

Warning

rootlesskit cannot detect systemd properly if you switch to your user via sudo su. For users which cannot be logged-in, you must use the machinectl command which is part of the systemd-container package. After installing systemd-container switch to myuser with the following command:

sudo machinectl shell myuser@

Run the installation script from docker to install the latest version of rootless dockerd

curl -fsSL https://get.docker.com/rootless | sh

As mentioned in the information from the script you need to add somme env variables to your ~/.bashrc file and reload it.

echo -e "\nexport PATH=$HOME/bin:\$PATH\nexport DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock" >> ~/.bashrc
source .bashrc

Your docker rootless is installed you can try it with:

docker info

Docker-compose

If you want to install docker-compose after installing docker rootless, follow these instructions

Resources

Tags :
Share :
comments powered by Disqus