feat: Implement Docker security best practices #53
Description
Prerequisites
- I have searched existing and closed feature requests
Proposal
Each existing stack needs to be reviewed for how they can best implement our list of Docker security best practices.
- glance
- gluetun
- godns
- jellyfin
- ntfy
- pocketid
- prowlarr
- qbittorrent:
- qbittorrent
- qui
- radarr
- seerr
- sonarr
- traefik:
- traefik
- tinyauth
- cetusguard
- whoami
Motivation
Security is a vital part of why the karo-stack was originally developed. And whilst Docker running rootless solves a lot of problems, there are still security improvements that each stack should try to implement.
Context
The initial months of development work on the karo-stack left little time for additional security testing of each stack. Instead, it was vital to reach stability first, with confidence in a working version of each stack.
Now that has been achieved, the list of best practices should be applied to existing stacks. And if any issues are encountered, it might be a case of trial and error to figure out which security setting causes an issue.
Docker security best practices list
user: 1000:1000
# avoids running as root inside the container
# (not always respected, sometimes set via environment variables)
tty: false
stdin_open: false
# prevents attaching an interactive shell
read_only: true
# changes the container's file system to read-only
# (can't be applied to containers that use Docker secrets)
security_opt:
- no-new-privileges:true
# reduces risk of privilege escalation post start-up
tmpfs:
- /tmp:rw,noexec,nosuid,nodev
# prevents executing binaries from /tmp
# reduces the risk of local privilege escalation
cap_drop:
- ALL
# drops all linux capabilities from the container’s processes
# (containers that require capabilities can have them added back after this line)Useful sources