Docker Security Best Practices
Disable Inter-Container Communication (ICC)
By default, all containers on a single host can communicate with each other via the docker0 bridge network. The docker0 bridge is created automatically when Docker is installed, and all containers are connected to it unless specified otherwise (when using user-defined networks).
While this makes development easy, it increases a security risk: if one container is compromised, an attacker can perform "lateral movement" to scan and attack other containers on the same host.
Here is a demonstration of inter-container communication:
# Run a busybox container in the background
docker run -d --name busybox1 busybox sleep 3600
# Get the IP address
IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' busybox1)
# From another container, ping the first container using its IP address
docker run --rm busybox ping -c 1 $IP
To prevent this, you can disable inter-container communication (ICC) by setting "icc": false in the Docker daemon configuration file (/etc/docker/daemon.json):
# Create or modify the Docker daemon configuration file
cat > /etc/docker/daemon.json <
{
"icc": false
}
EOF
# Restart the Docker daemon to apply the changes
systemctl restart docker
Painless Docker - 2nd Edition
A Comprehensive Guide to Mastering Docker and its EcosystemEnroll now to unlock all content and receive all future updates for free.
Hurry! This limited time offer ends in:
To redeem this offer, copy the coupon code below and apply it at checkout: