Diogo Mónica

Understanding Docker Security and Best Practices

Diogo Mónica

Nathan McCauley and I have been working on a bunch of things since joining Docker. One area that we noticed is lacking is in the availability of information around Docker architecture and best practices in securely configuring and deploying Dockerized applications. This knowledge exists across the vast community of Docker users but we realized that we just haven’t gotten around to writing it down and sharing with everyone else.



As part of that process, Jérôme Petazzoni and I joined representatives from VMware, Rakuten, Cognitive Scale and International Securities Exchange to collaborate with the Center for Internet Security on a benchmark for Docker Engine 1.6. The CIS Security Benchmarks program provides well-defined, unbiased and consensus-based industry best practices to help organizations assess and improve their security.   We believe that unbiased and community driven benchmarks like this are important in providing a set of best practices and recommendations to configure your linux host and the docker engine. Download the benchmark here:


Additionally we authored our first Docker white paper called “Introduction to Container Security.”   This paper explains how containers work and what that means for application isolation and operational security. It lays the foundation for understanding how the engine works under the hood.



This is just the beginning of our efforts to make information around Docker and security more readily available. Check out our security page to learn more and subscribe to our security announcements.

Learn More about Docker


3 thoughts on “Understanding Docker Security and Best Practices

  1. Nicolas Klein


    In the whitepaper “Introduction to container security”, you mention that security upgrades can be applied to images by “leveraging image tags and applying updates to prior versions”. This seems to imply that this can be made without the images depending on the upgraded image needing to be fully rebuilt and thus can be made without access to the Dockerfiles of the higher level images.

    At the moment I could see only two ways of doing this, in addition to an upgrade mechanism built into each image/container:
    1. rebuild the whole image using a patched base image, i.e. a base image tagged with a higher version, application image making use of that higher base version. This has the drawback of requiring a re-build of all images depending on the base image, which may be problematic if hundreds of images depend it. That looks like a step back from classical security upgrades via package upgrades as it requires a trip back to development usually in charge of providing Docker images.
    2. rebuild the base image with the same tag as previously but including the updates, pushing it to a central registry and re-pulling all images depending on it. This has the disadvantage of breaking version traceability between original and patched base image thus making conflict or partial deployment detection more difficult.

    This leads to my questions:
    – What other way exists that would not require re-building all dependent images?
    – Where is the method mentioned in the white-paper described in detail?

    Thank you


  2. Would also like to here a response to the question asked by Nicolas

  3. With the release of Docker 1.10 a great many security improving changes have been made available and in many places installed as the default.

    Is there any effort to produce an updated CIS Docker 1.10 Benchmark publication?

Leave a Reply