0
0
DockerHow-ToBeginner · 4 min read

How to Secure Docker Container: Best Practices and Examples

To secure a Docker container, use minimal base images, run containers as non-root users, and scan images for vulnerabilities. Also, limit container capabilities and use Docker's security options like --read-only and seccomp profiles to reduce attack surface.
📐

Syntax

Here are key Docker run options to enhance container security:

  • --user: Runs container as a specific user instead of root.
  • --read-only: Makes the container filesystem read-only.
  • --cap-drop: Removes Linux capabilities to limit privileges.
  • --security-opt: Applies security profiles like seccomp or AppArmor.
bash
docker run --user 1000 --read-only --cap-drop ALL --security-opt seccomp=default.json myimage
💻

Example

This example runs a Docker container securely by using a non-root user, dropping all capabilities, and making the filesystem read-only.

bash
docker run --rm \
  --user 1000 \
  --read-only \
  --cap-drop ALL \
  --security-opt seccomp=default.json \
  alpine:3.18 \
  sh -c "id && touch /tmp/testfile"
Output
uid=1000 gid=1000 groups=1000 sh: can't create /tmp/testfile: Read-only file system
⚠️

Common Pitfalls

Common mistakes when securing Docker containers include:

  • Running containers as root, which increases risk if compromised.
  • Using large or outdated base images that contain vulnerabilities.
  • Not scanning images for known security issues.
  • Giving containers unnecessary Linux capabilities.

Always verify user permissions and limit capabilities.

bash
docker run --rm alpine:3.18 sh -c "id"

# Wrong: runs as root (uid=0)

# Correct:
docker run --rm --user 1000 alpine:3.18 sh -c "id"
Output
uid=0(root) gid=0(root) groups=0(root) uid=1000 gid=1000 groups=1000
📊

Quick Reference

Summary of key Docker security options:

OptionPurpose
--userRun container as non-root user
--read-onlyMake container filesystem read-only
--cap-dropRemove Linux capabilities
--security-optApply security profiles like seccomp
Use minimal base imagesReduce attack surface
Scan imagesDetect vulnerabilities before use

Key Takeaways

Always run Docker containers as non-root users to reduce risk.
Use minimal and updated base images to avoid vulnerabilities.
Limit container privileges by dropping unnecessary capabilities.
Make container filesystems read-only when possible.
Scan images regularly for security issues before deployment.

Related by keyword

How to Reduce Docker Image Size: Best Practices and ExamplesImagesHow to Inspect a Container in Docker: Commands and ExamplesContainersHow to Start a Container in Docker: Simple Commands and ExamplesContainersDocker exec vs docker attach: Key Differences and UsageContainersDocker run vs docker create: Key Differences and UsageContainers

Up next

How to Use Docker in Jenkins: Simple Guide for BeginnersHow to Use Docker Layer Caching in CI for Faster BuildsDocker prune vs system prune: Key Differences and UsageHow to Check Container Health in Docker: Commands & Examples

More in Security

Docker Security Best Practices: How to Secure Your ContainersHow to Avoid Running as Root in Docker ContainersHow to Limit Container Resources in Docker: Memory & CPU LimitsHow to Scan Docker Image for Vulnerabilities Quickly