Sign In
Sign In

How to Improve Docker Containers Security: Best Practices

How to Improve Docker Containers Security: Best Practices
Hostman Team
Technical writer
Docker
24.11.2023
Reading time: 5 min

Programmers widely use Docker containers. They are isolated environments that have everything needed to launch an application quickly. Working with containers speeds up application development and increases the developer's efficiency.

One of the actual problems for developers using containers is security in Docker. Containers are a standardized environment for attacks; their misuse opens the door to valuable information for attackers. Let's take a look at how we can secure containers with time-tested best practices.

Security basics when working with Docker containers

Container security depends on the operating system, the embedded software components with which the developer interacts, and configuration settings. Proper build and deployment will ensure that Docker is secure, and you can enjoy all the benefits of containers.

Another important tip is to update the software regularly. Each update introduces improved protection algorithms, so use only up-to-date solutions.

Recommendations for building the image

Always use a verified image from official sources. Alpine Linux is the best option as a base distribution. These simple guidelines reduce the likelihood of surface and supply chain attacks.

Many developers wonder whether choosing a fixed or the latest tag is better. Specifying a particular version in the tags provides a strong defense against making changes that could break containers. However, it prevents security settings from being updated when updates are released, which can reduce security. If you tag a specific version, choose the most stable one.

Do not assign root privileges to users

Processes in containers are initially started in root mode. To ensure security, grant fewer privileges to the user. To do this, specify the -u symbol in front of an arbitrarily assigned user ID that does not exist in a particular container. It looks like this:

Docker run -u 3000 <image>

The second way to create a user without root privileges:

FROM <base image>
RUN addgroup -S appgroup
&& adduser -S appuser -G appgroup
USER appuser
...<continued Dockerfile>...

These settings prevent attackers from logging in through the container.

Privilege capabilities and configuration

You shouldn't run privileged containers, and it is also advisable to prevent new privileges from being added while the container is in use. To do this, set the following settings:

--security-opt=no-new-privileges

For security reasons, you should not use default capabilities. It is better to remove the irrelevant ones.

Create control groups to track resource access parameters. This allows you to control memory access as well as all operations. Each container is automatically allocated its own group. To avoid increasing the risk of hacker attacks, never specify the --cgroup-parent attribute.

To ensure the security of Docker containers, restrict user access to memory. To do this, set parameters such as:

--memory="400m"
--memory-swap="1g"
--cpus=0.5
--restart=on-failure:5
--ulimit nofile=5
--ulimit nproc=5

Data storage and file system

The root file system of all containers should not be modified. Select read-only settings:

docker run --read-only <image>

Properly implement long-term storage of information. You can either use volumes or mount host directories. Whichever you choose, you should select "read-only" in the settings to prevent unauthorized modification of data.

If you are using temporary storage for files, set the options:

docker run --read-only --tmpfs /tmp:rw,noexec, nosuid <image>

Network parameters

Initially, docker0 is installed on the system. We do not recommend using this bridge interface. To disable this option, set the --bridge=none parameter. This will prevent containers from communicating through a network connection. 

It is better to create separate networks for connections:

docker network create <network_name>
docker run --network=<network_name>

For security purposes, isolate the host interface by assigning the --net=host parameter.

When working with containers, you should systematically monitor network activity. This way, you can detect anomalous activity in time and prevent malicious attacks.

Use only trusted registries

Using the official online registry from Docker is a safe solution. You can also configure the registry yourself on your own host. Installing the registry behind the firewall serves as an additional lever to strengthen security.

Regular scanning

Don't neglect scanning for vulnerabilities. You can use either free solutions or more functional paid software. Regular monitoring will allow you to detect problems quickly and avoid serious consequences.

Do not open a UNIX socket

This socket is the entry point to the API. By opening the socket at /var/run/docker.sock, you grant unrestricted root access to the host. Ensure the other containers don't get access; this is a critical security setting.

Do not include secrets and credentials

Initially, any user accessing the image can get information about the secrets recorded in Dockerfiles. To prevent this, you should use Docker BuildKit to store secret information and specify the --secret option on the command line.

Now you know how to protect Docker from intruders. Following these simple rules will allow you to avoid serious problems and keep your information safe.

Docker
24.11.2023
Reading time: 5 min

Similar

Docker

How to Install Docker on Ubuntu 22.04

Docker is a free, open-source tool for application containerization. Containers are isolated environments similar to virtual machines (VMs), but they are more lightweight and portable across platforms, requiring fewer system resources. Docker uses OS-level virtualization, leveraging features built into the Linux kernel. Apps order after installing Docker on Ubuntu Although it applies to other Ubuntu versions as well, this tutorial explains how to install Docker on Ubuntu 22.04. We'll also download Docker Compose, which is a necessary tool for effectively managing several containers. For this guide, we will use a Hostman cloud server. System Requirements According to Docker's documentation, the following 64-bit Ubuntu versions are supported: Ubuntu Oracular 24.10 Ubuntu Noble 24.04 (LTS) Ubuntu Jammy 22.04 (LTS) Ubuntu Focal 20.04 (LTS) Docker works on most popular architectures. The resource requirements for your device will depend on your intended use and how comfortably you want to work with Docker. The scale of applications you plan to deploy in containers will largely dictate the system needs. Some sources recommend a minimum of 2 GB of RAM. Additionally, a stable internet connection is required. Installing Docker on Ubuntu 22.04 Installing Docker on Ubuntu 22.04 involves executing a series of terminal commands. Below is a step-by-step guide with explanations. The steps are also applicable to server versions of Ubuntu. 1. Update Package Indexes The default repository may not always contain the latest software releases. Therefore, we will download Docker from its official repository to ensure the latest version. First, update the package indexes: sudo apt update 2. Install Additional Packages To install Docker, you’ll need to download four additional packages: curl: Required for interacting with web resources. software-properties-common: Enables software management via scripts. ca-certificates: Contains information about certification authorities. apt-transport-https: Necessary for data transfer over the HTTPS protocol. Download these packages with the following command: sudo apt install curl software-properties-common ca-certificates apt-transport-https -y The -y flag automatically answers "Yes" to all terminal prompts. 3. Import the GPG Key Software signatures must be verified using the GPG key. Docker's repository must be added to the local list. Use the command to import the GPG key: wget -O- https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor | sudo tee /etc/apt/keyrings/docker.gpg > /dev/null During the import process, the terminal may display a warning before confirming the successful execution of the command. 4. Add Docker Repository Add the repository for your version of Ubuntu, named "Jammy." For other versions, use their respective code names listed in the "System Requirements" section. Run the following command: echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null During execution, the terminal will prompt you to confirm the operation. Press Enter. 5. Update Package Indexes Again After making these changes, update the package indexes once more using the familiar command: sudo apt update 6. Verify the Repository Ensure that the installation will proceed from the correct repository by running the following command: apt-cache policy docker-ce Output example: Depending on the most recent Docker releases, the result could change. Verifying that the installation will be carried out from Docker's official repository is crucial. 7. Installing Docker After configuring the repositories, proceed with the Docker installation: sudo apt install docker-ce -y The installation process will begin immediately. To confirm a successful installation, check Docker's status in the system: sudo systemctl status docker Output example: The output should indicate that the Docker service is active and running. Installing Docker Compose Docker Compose is a Docker tool designed for managing multiple containers. It is commonly used in projects where many containers must work together as a unified system. Managing this process manually can be challenging. Instead, you describe the entire configuration in a single YAML file containing the settings and configurations for all containers and their applications. There are several ways to install Docker Compose. If you need the latest version, make sure to use manual installation and installation via the Git version control system. Installation via apt-get If having the latest version is not critical for you, Docker Compose can be installed directly from the Ubuntu repository. Run the following command: sudo apt-get install docker-compose Installing via Git First, install Git: sudo apt-get install git Verify the installation by checking the Git version: git --version The output should show the Git version. Next, clone the Docker Compose repository. Navigate to the Docker Compose GitHub page and copy the repository URL. Run the following command to clone the repository: git clone https://github.com/docker/compose.git The cloning process will begin, and the repository will be downloaded from GitHub. Manual Installation Go to the Docker Compose GitHub repository and locate the latest release version under the Latest tag. At the time of writing, the Latest version of Docker Compose is v2.31.0. Let's download it: sudo curl -L "https://github.com/docker/compose/releases/download/v2.31.0/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose In this command, the parameters $(uname -s) and $(uname -m) automatically account for the system characteristics and architecture. After the download finishes, change the file's permissions: sudo chmod +x /usr/local/bin/docker-compose Right order of your infrastructure after installation of Docker on Ubuntu Conclusion In this guide, we covered the installation of Docker on Ubuntu 22.04, along with several ways to install Docker Compose. You can order a cloud server at Hostman for your experiments and practice.
22 August 2025 · 5 min to read
Docker

Running Selenium with Chrome in Docker

Sometimes, it’s useful to work with Selenium in Python within a Docker container. This raises questions about the benefits of using such tools, version compatibility between ChromeDriver and Chromium, and the nuances of their implementation. In this article, we’ll cover key considerations and provide solutions to common issues. Why Run Selenium in Docker? Running Selenium in a container offers several advantages: Portability: Easily transfer the environment between different machines, avoiding version conflicts and OS-specific dependencies. Isolation: The Selenium container can be quickly replaced or updated without affecting other components on the server. CI/CD Compatibility: Dockerized Selenium fits well into CI/CD pipelines — you can spin up a clean test environment from scratch each time your system needs testing. Preparing an Ubuntu Server for Selenium with Docker First, make sure Docker and Docker Compose are installed on the server: docker --version && docker compose version In some Docker Compose versions, the command is docker-compose instead of docker compose. If the tools are installed, you’ll see output confirming their versions. If not, follow this guide. Selenium in Docker Example When deploying Selenium in Docker containers, consider the host architecture, functional requirements, and performance. Official selenium/standalone-* images are designed for AMD64 (x86_64) CPUs, while seleniarm/standalone-* images are adapted for ARM architectures (e.g., Apple silicon or ARM64 server CPUs). First, create a docker-compose.yml file in your project root. It will contain two services: version: "3" services: app: build: . restart: always volumes: - .:/app depends_on: - selenium platform: linux/amd64 selenium: image: selenium/standalone-chromium:latest # For AMD64 # image: seleniarm/standalone-chromium:latest # For ARM64 container_name: selenium-container restart: unless-stopped shm_size: 2g ports: - "4444:4444" # Selenium WebDriver API - "7900:7900" # VNC Viewer environment: - SE_NODE_MAX_SESSIONS=1 - SE_NODE_OVERRIDE_MAX_SESSIONS=true - SE_NODE_SESSION_TIMEOUT=300 - SE_NODE_GRID_URL=http://localhost:4444 - SE_NODE_DETECT_DRIVERS=false You must choose the correct image for your system architecture by uncommenting the appropriate line. The app service will run your main Python code. Let’s define a standard Dockerfile for this service: # Use a minimal Python image FROM python:3.11-slim # Set working directory WORKDIR /app # Install Python dependencies COPY requirements.txt /app/ RUN pip install --no-cache-dir -r requirements.txt # Copy project files COPY . /app/ # Set environment variables (Chromium is in a separate container) ENV SELENIUM_REMOTE_URL="http://selenium:4444/wd/hub" # Run Python script CMD ["python", "main.py"] This Dockerfile uses a base Python image and automatically installs the necessary dependencies. Now let’s add the driver initialization script to main.py: import time # Used to create a delay for checking browser functionality import os from selenium import webdriver from selenium.webdriver.chrome.service import Service from selenium.webdriver.chrome.options import Options # WebDriver settings chrome_options = Options() chrome_options.add_argument("--no-sandbox") chrome_options.add_argument("--disable-dev-shm-usage") chrome_options.add_argument("--disable-gpu") chrome_options.add_argument("--disable-webrtc") chrome_options.add_argument("--hide-scrollbars") chrome_options.add_argument("--disable-notifications") chrome_options.add_argument("--start-maximized") SELENIUM_REMOTE_URL = os.getenv("SELENIUM_REMOTE_URL", "http://selenium:4444/wd/hub") driver = webdriver.Remote( command_executor=SELENIUM_REMOTE_URL, options=chrome_options ) # Open a test page driver.get("https://www.timeweb.cloud") time.sleep(9999) # Shut down WebDriver driver.quit() In the requirements.txt file, list standard dependencies, including Selenium: attrs==25.1.0 certifi==2025.1.31 h11==0.14.0 idna==3.10 outcome==1.3.0.post0 PySocks==1.7.1 selenium==4.28.1 sniffio==1.3.1 sortedcontainers==2.4.0 trio==0.28.0 trio-websocket==0.11.1 typing_extensions==4.12.2 urllib3==2.3.0 websocket-client==1.8.0 wsproto==1.2.0 Now you can launch the containers: docker compose up -d Expected output: Docker will build and launch the containers. To verify everything is running correctly: docker compose ps You should see two running containers which means everything was loaded successfully. You can now integrate a script in main.py to interact with any site. Debugging Selenium in Docker with VNC In official Selenium Docker images (like seleniarm/standalone-chromium, selenium/standalone-chrome, etc.), direct access to the Chrome DevTools Protocol is usually overridden by Selenium Grid. It generates a new port for each session and proxies it via WebSocket. Arguments like --remote-debugging-port=9229 are ignored or overwritten by Selenium, making direct browser port access impossible from outside the container. Instead, these Docker images offer built-in VNC (Virtual Network Computing), similar to TeamViewer or AnyDesk, but working differently. VNC requires headless mode to be disabled, since it transmits the actual screen content — and if the screen is blank, there will be nothing to see. You can connect to the VNC web interface at: http://<server_ip>:7900 When connecting, you'll be asked for a password. To generate one, connect to the selenium-container via terminal: docker exec -it selenium-container bash Then enter: x11vnc -storepasswd You’ll be prompted to enter and confirm a password interactively. Enter the created password into the VNC web interface, and you’ll gain access to the browser controlled by Selenium inside Docker. From there, you can open DevTools to inspect DOM elements or debug network requests. Conclusion Running Selenium in Docker containers simplifies environment portability and reduces the risk of version conflicts between tools. It also allows visual debugging of tests via VNC, if needed. Just make sure to choose the correct image for your system architecture and disable headless mode when a graphical interface is required. This provides a more flexible and convenient infrastructure for testing and accelerates Selenium integration into CI/CD pipelines.
19 June 2025 · 5 min to read
Docker

Building Docker Images and Deploying Applications

Containerizing applications offers a convenient and flexible way to quickly deploy software, including web servers, databases, monitoring systems, and others. Containers are also widely used in microservices architectures. Docker is ideal for these purposes, as it greatly simplifies working with containerized apps. Introduced in 2013, Docker has seen continuous support and usage ever since. In this tutorial, you’ll learn how to create Docker images for three different applications written in different programming languages and how to run Docker containers from these images. Prerequisites To work with the Docker platform, you’ll need: A VPS or virtual machine with any Linux distribution preinstalled. In this tutorial, we use Ubuntu 22.04. Docker installed. You can find the Docker installation guide for Ubuntu 22.04 in our tutorials. Alternatively, you can use a prebuilt cloud server image with Docker — just select it in the “Marketplace” tab when creating a server. What Is a Docker Image? At the core of Docker’s concept is the image. A Docker image is a template—an executable file—you can use to start a Docker container. It contains everything needed to launch a ready-to-run application: source code, configuration files, third-party software, utilities, and libraries. Docker image architecture is layer-based. Each layer represents an action performed during the image build process, such as creating files and directories or installing software. Docker uses the OverlayFS file system, which merges multiple mount points into one, resulting in a unified directory structure. You can move Docker images between systems and use them in multiple locations, much like .exe executables in Windows systems. Creating Custom Docker Images Let’s walk through how to create Docker images for Flask, Node.js, and Go applications. Creating a Docker Image for a Flask Application To create images, a Dockerfile is used. Dockerfile is a plain text file without an extension that defines the steps to build a container image. You can find more details about Dockerfile instructions in the official documentation. We’ll create a Docker image with a web application built with Flask and run the container. The application will show a basic HTML page that displays the current date. 1. Install Required Packages Install the pip package manager and python3-venv for managing virtual environments: apt -y install python3-pip python3-venv 2. Create the Project Directory mkdir dockerfile-flask && cd dockerfile-flask 3. Create and Activate a Virtual Environment python -m venv env source env/bin/activate After activation, you'll see (env) in your prompt, indicating the virtual environment is active. Packages installed via pip will now only affect this environment. 4. Install Flask and Dependencies pip install flask pip install MarkupSafe==2.1.5 5. Create the Flask Application Create a file named app.py that will store the source code of our application: from flask import Flask import datetime app = Flask(__name__) @app.route('/') def display_current_date(): current_date = datetime.datetime.now().date() return f"Current date is: {current_date}" if __name__ == '__main__': app.run(debug=True) 6. Run and Test the Application flask run --host=0.0.0.0 --port=80 In your browser, visit your server’s IP address (port 80 doesn’t need to be specified as it’s the default one). You should see today’s date. 7. Freeze Dependencies Now, we need to save all the dependencies (just the flask package in our case) to a requirements.txt file, which stores all packages used in the project and installed via pip. pip freeze > requirements.txt Your project structure should now look like this: dockerfile-flask/ ├── app.py ├── env/ ├── requirements.txt Now we can proceed to creating a Docker image. 8. Create the Dockerfile Create a file named Dockerfile with the following contents: FROM python:3.8-slim-buster WORKDIR /app COPY requirements.txt requirements.txt RUN pip3 install -r requirements.txt COPY . . CMD [ "python3", "-m", "flask", "run", "--host=0.0.0.0", "--port=80" ] Explanation: FROM python:3.8-slim-buster: Use Python 3.8 base image on a lightweight Debian Buster base. WORKDIR /app: Set the working directory inside the container (similar to the mkdir command in Linux systems) COPY requirements.txt requirements.txt: Copy the dependency list into the image. RUN pip3 install -r requirements.txt: The RUN directive runs the commands in the image. In this case, it’s used to install dependencies. COPY . .: Copy all project files into the container. CMD [...]: CMD defines the commands and app parameters to be used when the container starts. 9. Use a .dockerignore File Create a .dockerignore file to exclude unnecessary directories. It helps to decrease the image size. In our case, we have two directories that we don’t need to launch the app. Add them to the .dockerignore file: env __pycache__ 10. Build the Docker Image When building the image, we need to use a tag that would work as an identifier for the image. We’ll use the flask-app:01 tag. docker build -t flask-app:01 . The dot at the end means the Dockerfile is located in the same directory where we run the command. Check the created image: docker images 11. Run the Docker Container docker run -d -p 80:80 flask-app:01 -d: Run the container in the background. -p: Forward host port 80 to container port 80. Check running containers: docker ps The STATUS column should show “Up”.  Open your browser and navigate to your server's IP address to view the app. Creating a Docker Image for a Node.js Application Our simple Node.js app will display the message: “This app was created using Node.js!” Make sure you have Node.js installed on your system. 1. Create the Project Directory mkdir dockerfile-nodejs && cd dockerfile-nodejs 2. Initialize the Project npm init --yes 3. Install Express npm install express --save 4. Create the Application File Create app.js with the following code: const express = require("express"); const app = express(); app.get("/", function(req, res) { return res.send("This app was created using Node.js!"); }); app.listen(3000, '0.0.0.0', function(){ console.log('Listening on port 3000'); }); 5. Test the Application node app.js Open http://<your-server-ip>:3000 in a browser to verify it works. 6. Create the Dockerfile FROM node:20 WORKDIR /app COPY package.json /app RUN npm install COPY . /app CMD ["node", "app.js"] 7. Add .dockerignore Create .dockerignore and the following line: **/node_modules/ 8. Build the Image docker build -t nodejs-app:01 . 9. Start the Container from Image docker run -d -p 80:3000 nodejs-app:01 Visit http://<your-server-ip> in your browser. The app should be running. Creating a Docker Image for a Go Application This Go application will display: “Hello from GO!” Make sure you have Go installed in your system. 1. Create the Project Directory mkdir dockerfile-go && cd dockerfile-go 2. Initialize the Go Module go mod init go-test-app 3. Create the Application File Create main.go with this code of our application: package main import "fmt" func main() { fmt.Println("Hello from GO!") } Verify it works: go run . 4. Create the Dockerfile FROM golang:1.23-alpine WORKDIR /app COPY go.mod ./ RUN go mod download COPY *.go ./ RUN go build -o /go-test CMD [ "/go-test" ] COPY go.mod ./: Adds dependencies file. RUN go mod download: Installs dependencies. COPY *.go ./: Adds source code. RUN go build -o /go-test: Compiles the binary. 5. Build the Image docker build -t go:01 . 6. Run the Container docker run go:01 You should see the output: Hello from GO! Conclusion In this guide, we walked through building custom Docker images for three applications written in different programming languages. Docker allows you to package any application and deploy it with ease.
18 June 2025 · 7 min to read

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support