Collaborate Disseminate
I am reviewing a kubernetes environment. I can see that the host docker/containerd socket is mounted into the containers. Do we really need docker in docker in production environments? What are the security consequences of it?
Note: Its no… Continue reading Docker in docker usecases and alternatives [closed]
It’s dangerous to expose the docker socket to a container, as malicious code could break out into the host. There are various ways to avoid this; a simple/popular approach is to use a proxy between the container and the docker daemon, whic… Continue reading Does a docker socket proxy improve security?
I have a mysql docker container, when the volume is created on boot, the following initial script is called which creates a database, gives a user access to that database and deletes the root user with ‘%’ access:
define DDL <<-sql
… Continue reading Does it improve security to remove root@% from local mysql container? [migrated]
If I want to run untrusted code inside a Docker container, or an untrusted Docker container for that matter, how can I restrict it?
I’d like to make sure it has no access to the host filesystem. Ideally I’d like it to have limited network… Continue reading Security of untrusted Docker containers
For a given publisher of docker images on Docker Hub (let’s say debian), how do I download their root release/image signing key and verify its authenticity from multiple sources out-of-band from each-other?
Though it doesn’t appear to be c… Continue reading Docker: How to download & verify a publisher’s root key (out-of-band, distinct-domain cryptographic verification, WoT)
Does hardening with SECCOMP a binary running inside a Docker container brings extra security? I can find many articles/papers about hardening the container itself but very few things about hardening binaries inside the container.
SECCOMP w… Continue reading SECCOMP inside a docker container adds an extra layer of security?
The most common method of passing secrets to a docker container is through ENVs.
The problem is:
Imagine that your docker container is hosting a HTTP server that can have a security exploit (like any software), that will give almost comman… Continue reading How can I pass secrets to a compromised container without the attacker being able to see them?
I am using docker to run a few server apps on a raspberryPi with ports exposed to the open internet. If an attacker were to successfully infiltrate my docker containers, I would like to be certain that they cannot access other devices on m… Continue reading Securing docker containers on private LAN
How can I execute docker pull (with Docker Content Trust enabled) such that it fails if the image doesn’t have a valid signature using the private key corresponding to (or subordinate to) the public key that I provide?
I just discovered th… Continue reading How to pin public root key when downloading an image with docker pull (Docker Content Trust)?
How can I list all of the Docker Content Trust root keys on my system?
I am setting up a CI process that will use the debian:stable-latest docker image to build my application’s releases in ephemeral cloud instances. I want to make sure th… Continue reading How to list all of the known root keys in docker (Docker Content Trust)