Introduction
Docker containers share the host kernel, making security configuration critical. These best practices help prevent container breakouts and limit the impact of compromised containers.
Run as Non-Root
FROM node:20-alpine
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
USER appuser
WORKDIR /app
COPY --chown=appuser:appgroup . .
CMD ["node", "server.js"]Use Read-Only Filesystems
docker run --read-only --tmpfs /tmp:rw,noexec,nosuid myappLimit Resources
docker run -d \
--memory=512m \
--cpus=1.0 \
--pids-limit=100 \
myappNetwork Isolation
# Create isolated network
docker network create --internal backend
# Only expose what's needed
docker run -d --network backend mydb
docker run -d --network backend -p 80:80 mywebappImage Security
- Use minimal base images (Alpine, distroless)
- Pin image versions — never use
:latestin production - Scan images for vulnerabilities:
docker scout cves myimage - Use multi-stage builds to exclude build tools from production images
Secrets Management
# Never put secrets in Dockerfiles or images
# Use Docker secrets or environment variables at runtime
docker run -e DB_PASSWORD_FILE=/run/secrets/db_pass \
-v ./secrets/db_pass:/run/secrets/db_pass:ro myapp