This is an article I wrote for Devs to release self-made applications in production securely.
Running web applications in Docker containers or Kubernetes became the industry standard over the last decade. I am a big fan of Docker due to its approach to standardize infrastructure for software development and applications in production at the same time.
The last couple of years I came up with a checklist to make sure security and best practices are in place before releasing Docker containers into production.
See the ten bulletpoints bellow.
1. Least Priviledged OS User
-- The OS user itself should have no sudo rights but should be added to the Docker group to properly access Docker functionalities.
2. Least Priviledged Container User
-- While building the image, add a least privileged user to the image OS and switch to this user after installing required OS packages.
3. Copy and install packages first
-- To speed up the build time of Docker images by using Dockers caching feature, packages should be installed first. Later the rest of the code will be copied to the image.
4. Create folder structures and add correct user permissions
-- To anticipate problems with permissions, all folders should be created and code should be copied during build time of the image. In addition make sure your least piviledged container user is the owner of these folders.
5. Set ARG and ENV variables during build
-- Arguments (ARG) can only be used during the build process, while environment variables (ENV) can be used after starting the containers. E.g. use it to set important paths.
6. Use docker-compose
-- Using docker-compose files will have a lot of advantages over scripts running single docker commands, e.g. setting up proper networking and volume mounting.
7. One service, one container
-- Always separate your services in separate containers. A good rule of thumb is to have only one service running per container.
8. Restart important containers after errors
-- To achive a more controlled and automatic restart of containers use "restart: on-failure" in your docker-compose files.
9. No ports are allowed to expose externally
-- By creating a docker network, docker-compose services are able to communicate with each other within a local network. No ports have to be exposed. External ports are for web proxys only.
10. Save application logs in production
-- If an application logs to log files, without a proper use of volume mounting these log files will be deleted after rebuilding the container. Therefore use volume mounting to mount log files from the container to a specified folder on the OS.
Please let us know your idea about blogbeat.app. Send us an email to [email protected]