Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Security Best Practices

The best practices required to monitor and secure container environments are:

Host OS Hardening

Hardening an operating system inlcude:

  • Ensure that both the host OS and docker software are updated with the latest security patches.

  • Download container images that are verified from downloads.

  • Run docker as non-root user without root privileges. This is called Rootless mode. In this mode, docker and container run within a user namespace. Running both containers and the Docker Engine services as non-root users improves security in the event of a breach.

  • Prevent denial-of-service attacks by configuring specified amount of memory and CPU required to run the containers.

  • Avoid using sshd within containers.

  • Avoid using default bridge docker0 from ARP spoofing and MAC flooding attacks.

  • Set the container's root filesystem to read-only to prevent from malicious attack.

  • Set the process identifier (PID) limit. Each process in the kernel carries a unique PID, and containers leverage Linux PID namespace to provide a separate view of the PID hierarchy for each container. Limiting the number of processes in the container prevents excessive spawning of new processes and potential malicious lateral movement.

Patch Management

Patch management involves identifying system features that can be improved or fixed, releasing the update package, and validating the installation of the updates. Patching with software updates and system reconfiguration is part of vulnerability management.

For information on latest software and details, see downloads and Upgrade cRPD.

Security Ports

Service ports that are privileged to use are:

  • Ensure that only approved BGP port (TCP 179), SSH port (TCP 22), Netconf over SSH (TCP 830) and gRPC ports for telemetry (TCP 50051), protocols, and services with validated business needs are running on each system. For example, HTTP and HTTPS load balancers have to bind (TCP 80) and (TCP 443) respectively.

  • TCP/IP port numbers below 1024 are considered privileged ports. Avoid to map any ports below 1024 within a container as they transmit sensitive data. By default, Docker maps container ports to one that’s within the 49153–65525 range, but it allows the container to be mapped to a privileged port.