Docker apparently doesn't respect your host firewall by default - leading to the potential for a gaping security hole. This has been a [https://github.com/docker/for-linux/issues/690 reported bug since 2018]. One fix is to [https://www.smarthomebeginner.com/traefik-docker-security-best-practices/#10_Change_DOCKER_OPTS_to_Respect_IP_Table_Firewall set the DOCKER_OPTS] configuration parameter. Another is to add a jump rule to UFW. The bug report links to docs and multiple references.
==Future ReadingDocker Downsides ==One major negative to the system architecture of Docker is that it relies on a server daemon. **Unlike** [[Podman]], Docker's Engine can use up 4GB of RAM just sitting idle.A similar thing happens with WSL2 on Windows <ref>https://news.ycombinator.com/item?id=26897095</ref>
#The compose application model https://docs.docker.com/compose/compose-file/02-model/#Understand how moby [https://github.com/moby/buildkit buildkit] is integrated with [https://github.com/docker/buildx buildx] (or docker) and use it.#Interesting read about docker commit https://adamtheautomator.com/docker-commit/== Future Reading ==
# The compose application model https://docs.docker.com/compose/compose-file/02-model/
# Understand how moby [https://github.com/moby/buildkit buildkit] is integrated with [https://github.com/docker/buildx buildx] (or docker) and use it.
# Interesting read about docker commit https://adamtheautomator.com/docker-commit/
Inspect your running container based on it's container name: docker inspect $(docker container ls | awk '/app2/ {print $1}')
== Docker in Docker ==
Before you get 'fancy' with Docker, be sure to read and understand the Security best practices for Docker https://devopscubecheatsheetseries.comowasp.org/run-docker-in-dockercheatsheets/ presents several use cases and techniquesDocker_Security_Cheat_Sheet.html
Containers (unlike virtual machines) share the kernel with the host, therefore kernel exploits executed inside a container will directly hit the host kernel. For example, a kernel privilege escalation exploit ([https://github.com/scumjr/dirtycow-vdso like Dirty COW]) executed inside a well-insulated container will result in root access in the host. That said, https://devopscube.com/run-docker-in-docker/ presents several use cases and techniques for DinD. ===Docker In Docker == =The DinD method is '''Docker over inside Docker''' . Docker provides a special Docker container with the <tt>dind</tt> tag which is pre-configured to run Docker inside the container image. An example of Docker In Docker would be running Docker inside a Docker image on Windows Subsystem for Linux (WSL) # Install Docker Desktop for Windows.# Enable the WSL 2 backend in Docker Desktop settings.# Set WSL 2 as your default version: <code>wsl --set-default-version 2</code> in PowerShell.# Install a Linux distribution from the Microsoft Store (Ubuntu, for example).# Open your Linux distribution (WSL 2 instance), and install Docker.# Add your user to the Docker group to manage Docker as a non-root user: <code>sudo usermod -aG docker $USER</code>.# Test Docker with: <code>docker run hello-world</code>. Running Docker inside Docker can lead to some security and functionality issues. It's often better to use the Docker daemon of the host machine. You can do this by mounting the Docker socket from the host into the container. See the "Docker outside of Docker" section. === Docker outside of Docker ===The DooD method, '''Docker over outside of Docker,''' uses the docker socket of the host system from inside containers by mounting the host socket into the filesystem of the container.
Try curl to see how different processes can communicate through a socket on the same host: <syntaxhighlight lang="bash">
</syntaxhighlight>
=== While there are benefits to using the DooD method, you are giving your containers full control over the Docker In Docker ===The DinD method daemon, which effectively is '''root on the host system. To mitigate these risks, again refer to [https://docs.docker.com/engine/security/ the Security model of Docker in Docker'''], the [https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet. html Docker provides a special Docker container with the dind tag which is pre-configured Security Cheat Sheet from OWASP] and be sure to run your Docker inside the container imagedaemon as an unprivileged user.
=== For security, use Nestybox Sysbox runtime ===
See https://github.com/nestybox/sysbox<nowiki/> {{References}}
[[Category:Virtualization]]
[[Category:DevOps]]
[[Category:Kubernetes]]