Skip to content

6.15 Docker Security Fundamentals

Abstract

Containers share the host kernel, so proper security configuration is critical. Docker provides isolation using Linux namespaces, users, and capabilities to limit what containers can do on the host.

Container Isolation with Namespaces

Docker uses Linux namespaces to isolate containers from the host and from each other.

Each container gets its own view of:

  • Processes
  • Network interfaces
  • Filesystems
  • Users
  • IPC resources

Example container run:

docker run ubuntu sleep 3600

Inside the container:

ps aux

The container sees its process as:

PID 1 sleep 3600

But on the host the same process appears with a different PID.

Note

The container sees only processes inside its namespace, while the host can see all processes.

User Security in Containers

By default, Docker runs containers as root user (UID 0).

Example:

docker run ubuntu sleep 3600

Inside container:

USER root
PID 1 sleep

Running containers as root is not recommended for production.

Running Containers as Non‑Root

You can specify a different user when running a container.

docker run --user=1001 ubuntu sleep 3600

FROM ubuntu
USER 1000

Tip

Defining the user inside the Dockerfile ensures all containers run with restricted privileges.

Linux Capabilities

Instead of giving containers full root privileges, Docker uses Linux Capabilities to limit what root can do.

Examples of capabilities:

  • CHOWN
  • DAC_OVERRIDE
  • KILL
  • SETUID
  • SETGID
  • NET_BIND_SERVICE
  • NET_ADMIN
  • SYS_ADMIN
  • AUDIT_WRITE

Full list available in:

/usr/include/linux/capability.h

Note

Docker containers run with a reduced capability set by default.

Managing Capabilities

Add a Capability

docker run --cap-add=NET_ADMIN ubuntu

Remove a Capability

docker run --cap-drop=KILL ubuntu

Run with All Privileges

docker run --privileged ubuntu

Danger

The --privileged flag gives containers full host capabilities and should almost never be used in production.

Production Security Best Practices

Recommended Production Practices

  • Run containers as non-root users
  • Drop unnecessary Linux capabilities
  • Avoid privileged containers
  • Use minimal base images
  • Apply image vulnerability scanning
  • Use read‑only filesystems when possible
  • Restrict network access with policies

Do's and Don'ts

Do

  • Use USER in Dockerfile
  • Drop unused capabilities
  • Scan container images regularly
  • Use minimal base images (Alpine / Distroless)

Don't

  • Don't run containers as root
  • Don't use --privileged unless absolutely necessary
  • Don't grant unnecessary capabilities
  • Don't run containers with host mounts unless required

Quick Security Checklist

Before running containers

  • Is the container running as non-root?
  • Are unnecessary capabilities removed?
  • Is the image trusted and scanned?
  • Is the container avoiding privileged mode?

Summary

Quote

  • Docker isolates containers using Linux namespaces
  • Containers share the host kernel
  • By default containers run as root
  • Linux capabilities restrict root privileges
  • Production systems must enforce least privilege