Although docker has made it possible for engineers to build and deploy enterprise software without worrying about package dependencies, there are security problems related to docker technology due to the fact that instances of docker or docker containers share the same kernel.

In this brief post, we outlined five ways to protect your docker hosts from attacks such as DOS Attacks,  Image malware, illegal root privileges, and so on.

• How to Avoid Kernel System Attacks In a Docker Ecosystem:

To avoid kernel system attacks, install and run docker on VM to avoid direct access to  the kernel. Installing docker on VM makes it difficult for attackers to get access to kernel and manipulate kernel security settings.

•     How to Avoid Excessive Memory Usage by Programs Running on Containers

Some programs running on containers can use excessive memory instead of making use of allocated memory. This usually happen when malware reside on the same host with legitimate programs. You can make use of cgroups or control groups to limit containers or application instances to a number of resources.

Cgroups or Control groups is technology implemented in  Unix operating system.  You can use it to limit programs to a set of resources.

Make sure you are using the latest version of docker engine

•   How to Avoid Container Attack Escalation

Usually docker containers run as root users or ‘admin’ users. Hence any malicious program that is able to get access to containers running on a docker host can move further to manipulate kernel security features. It is advisable to run and manage docker host on virtual machines.

Running docker host on virtual machines makes it extra difficult for attackers to escalate attacks to the kernel.

•   The main concept of docker technology is to allow implementation of micro-service architecture. Hence, it is quite risky to run all services in a single container. You can separate services and run each service in a different container and make use of docker swarm to scale services to avoid impromptu ‘services shutdown’ .

•   Finally you can make use of  Clair to assess container images.