General Page
Correct Ownership to root:docker
The Docker socket file grants full administrative control over the Docker daemon. Misconfigured ownership increases the risk of privilege escalation and unauthorized access. By ensuring proper ownership (root:docker), only trusted users (system administrators and those in the docker group) can interact with the Docker daemon.
To correct the ownership of the Docker socket file to root:docker:
- Verify the current ownership.
Run:ls -l /var/run/docker.sock - Change the ownership to root:docker.
Run:sudo chown root:docker /var/run/docker.sock - Adjust permissions to restrict access further.
Run:sudo chmod 660 /var/run/docker.sockThis ensures only the owner and group members can read/write to the socket.
- (Optional) Add authorized users to the docker group.
Run:sudo usermod -aG docker - Validate the changes.
Run:ls -l /var/run/docker.sock
Enable User Namespace Remapping
Enabling user namespaces ensures that UIDs and GIDs within the container are mapped to unprivileged IDs on the host, adding an additional layer of isolation and protection.
To enable user namespace:
- Check kernel version.
Run:uname –rNote: Kernel version 3.8 or later is required for user namespace support.
- Check System Configuration. Ensure that user namespaces are supported and enabled in the kernel.
Run:cat /proc/sys/user/max_user_namespacesIf the output is 0, enable it by running:echo 15000 > /proc/sys/user/max_user_namespaces - Modify Docker’s daemon.json configuration file (located at /etc/docker/daemon.json) to enable user namespace remapping. If the daemon.json file is not present, create one in the same directory.
Add the following line:{ "userns-remap": "default" } - Apply the changes by restarting Docker.
Run:systemctl restart docker - Validate the Fix.
- Run docker info and check for userns settings.
- Test container behavior to confirm isolation is in place.
Limit Network Exposure
Secure your Docker Containers by limiting the network exposure. To do this, update the Docker container's port binding configuration to explicitly specify the host IP address to which the port should be bound. This limits network exposure and helps enforce security controls.
- Stop the affected container.
Run:docker stop <container_id> - Re-run the container with explicit host IP binding. For example, bind only to localhost.
Run:docker run -d -p <host ip>:<host_port>:<container_port> <pem_cm-6.2.4-image_name>This ensures the service is accessible only from the local machine or specified network interface.
- Validate the fix by re-checking the container ports with docker ps to ensure no 0.0.0.0 binding exists.
Note: Additional recommendations:
- Try to avoid using the default bridge network. Use Docker's custom networks for isolating container traffic.
- Use services such as firewalld and iptables for restricting the traffic.
Mount Filesystem as read-only
- Setting the filesystem to read-only impacts the application since Tomcat, a PCM dependency, needs to create directories and files in the root /tmp directory. To resolve this, /tmp can be configured as an independent volume.
- If the volume designated for log paths is set to read-only, it will fail to produce log files; therefore, it requires read-write access.
- When integrated with Sterling B2B Integrator, the archive filesystem must have read-write permissions because PCM utilizes the archive directory to download and process files.
After excluding these three directories, you can configure the remaining filesystem as read-only by running the following command during Docker runtime:
docker run -d \
--read-only \
--name pem_cm_containername \
-v ./keystore.p12:/opt/IBM/config/keystore.p12:ro \
-v $(pwd)/application.yml:/opt/IBM/config/application.yml:ro \
-v $(pwd)/db2jcc4.jar:/opt/IBM/PCM/jars/db2jcc4.jar:ro \
-v $(pwd)/tmp:/tmp \
-v ./community-manager-cm.log:/opt/IBM/PCM/logs/community-manager-cm.log \
-e APP=<profile> \
-e LOGGER_LEVEL=<logger level> \
-e DB_PASS=<db_pass> \
-e NODE_PORT=<container port> \
-e NODE_IP=<ip of the server > \
-p <host port>:<containerport> \
<imagename>
Enable Live Restore
The lack of live restore support increases the risk of service disruptions during planned or unplanned Docker daemon shutdowns. Enabling live restore ensures that containers continue to function during system updates, Docker daemon restarts, or maintenance.
- Edit the Docker daemon configuration file located at /etc/docker/daemon.json:
{ "live-restore": true } - Apply the configuration changes by restarting Docker.
Run:systemctl restart docker - Verify the live restore status.
Run:
Ensure that the output is displayed as true.docker info | grep "Live Restore Enabled" - Restart the Docker daemon and verify that running containers continue functioning.
To restart, run:systemctl stop docker
Configure CPU and Memory Limitations
On Linux hosts, if the kernel detects insufficient memory for critical system functions, it begins terminating processes to free up memory. This may cause the entire system to crash if a critical process is terminated. As a result, it is important not to allow a running container to consume too much of the host machines memory.
Docker allows you to set the amount of CPU or memory a container can use by specifying runtime configuration flags with the docker run command. Setting these limits will prevent the container from using excessive memory of the host machine.
- Run the following command to check the resource utilization of a running container:
sudo docker stats <container_name> - Run the following command to set the resource limits during runtime:
docker run --memory="2g" --cpus="2"
Configure Health Check
Add a health check to container configurations to monitor their runtime state. Without a configured health check, Docker cannot automatically detect or recover from unhealthy states, potentially impacting service reliability. Adding a health check ensures proactive monitoring of container health and enables automated actions like restarting unhealthy containers to minimize service disruption.
Run the command:
docker run -d \
--name pcm1 \
--health-cmd=""curl -s -o /dev/null -w ""%
{http_code}
"" --insecure https://localhost:$NODE_PORT/ | grep -q 200 && echo ""0"" || exit 1"" \
--health-interval=30s \
--health-timeout=10s \
--health-retries=1 \
--health-start-period=50s \
<image>
Configure Auditing
Docker provides detailed logging for its daemon activities. To enable logging:
- Enable Docker Daemon Logging by adding the following docker logging configuration to the daemon.json file located at /etc/docker/daemon.json:
{ "debug": true, "log-level": "info", "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "3" } } - Restart Docker.
Run:sudo systemctl restart docker - (Optional) Integrate with Linux Audit Framework (auditd) to monitor Docker related activities.
Auditd is installed by default on Red Hat Enterprise Linux 7 and later.
To manually install auditd, run:sudo df install auditd - Create rules to audit Docker-related files and binaries. For example:
-
sudo auditctl -w /usr/bin/docker -p rwxa -k docker_audit -
sudo auditctl -w /var/run/docker.sock -p rwxa -k docker_audit
- w: Specifies the file or directory to watch.
- p rwxa: Monitors read, write, execute, and attribute changes.
- k: Adds a key to filter events.
-
- View audit logs.
Run:
Or (Optional):sudo ausearch -k docker_audit
Or:sudo cat /var/log/audit/audit.logsudo aureport
Was this topic helpful?
Document Information
Modified date:
27 February 2025
UID
ibm17184178