Harden the Docker daemon by configuring daemon.json with user namespace remapping, TLS authentication, rootless mode, and CIS benchmark controls.
The Docker daemon (dockerd) runs with root privileges and controls all container operations. Hardening its configuration through /etc/docker/daemon.json, TLS certificates, user namespace remapping, and network restrictions is essential to prevent privilege escalation, lateral movement, and container breakout attacks.
{
"icc": false,
"userns-remap": "default",
"no-new-privileges": true,
"log-driver": "json-file",
"log-opts": {
"max-size": "10m",
"max-file": "5"
},
"storage-driver": "overlay2",
"live-restore": true,
"userland-proxy": false,
"default-ulimits": {
"nofile": {
"Name": "nofile",
"Hard": 65536,
"Soft": 32768
},
"nproc": {
"Name": "nproc",
"Hard": 4096,
"Soft": 2048
}
},
"seccomp-profile": "/etc/docker/seccomp/default.json",
"default-address-pools": [
{
"base": "172.17.0.0/16",
"size": 24
}
],
"iptables": true,
"ip-forward": true,
"ip-masq": true,
"experimental": false,
"metrics-addr": "127.0.0.1:9323",
"max-concurrent-downloads": 3,
"max-concurrent-uploads": 5,
"default-runtime": "runc",
"runtimes": {
"runsc": {
"path": "/usr/local/bin/runsc",
"runtimeArgs": ["--platform=ptrace"]
}
}
}
{
"icc": false
}
Prevents containers on the default bridge network from communicating. Each container must use explicit --link or user-defined networks with published ports.
{
"userns-remap": "default"
}
Maps container root (UID 0) to a high unprivileged UID on the host. This prevents a container breakout from gaining root on the host.
# Verify userns-remap is active
cat /etc/subuid
# Output: dockremap:100000:65536
cat /etc/subgid
# Output: dockremap:100000:65536
# Verify container UID mapping
docker run --rm alpine id
# uid=0(root) gid=0(root) -- but host UID is 100000+
{
"no-new-privileges": true
}
Prevents container processes from gaining additional privileges via setuid/setgid binaries or capability escalation.
{
"live-restore": true
}
Keeps containers running during daemon downtime, enabling daemon upgrades without container restart.
{
"userland-proxy": false
}
Uses iptables rules instead of docker-proxy for port forwarding, reducing attack surface and improving performance.
# Create CA
openssl genrsa -aes256 -out ca-key.pem 4096
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem \
-subj "/CN=Docker CA"
# Create server key and CSR
openssl genrsa -out server-key.pem 4096
openssl req -subj "/CN=docker-host" -sha256 -new -key server-key.pem -out server.csr
# Create extfile with SANs
echo "subjectAltName = DNS:docker-host,IP:10.0.0.5,IP:127.0.0.1" > extfile.cnf
echo "extendedKeyUsage = serverAuth" >> extfile.cnf
# Sign server certificate
openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out server-cert.pem -extfile extfile.cnf
# Create client key and certificate
openssl genrsa -out key.pem 4096
openssl req -subj "/CN=client" -new -key key.pem -out client.csr
echo "extendedKeyUsage = clientAuth" > extfile-client.cnf
openssl x509 -req -days 365 -sha256 -in client.csr -CA ca.pem -CAkey ca-key.pem \
-CAcreateserial -out cert.pem -extfile extfile-client.cnf
# Set permissions
chmod 0400 ca-key.pem key.pem server-key.pem
chmod 0444 ca.pem server-cert.pem cert.pem
# Move to Docker TLS directory
sudo mkdir -p /etc/docker/tls
sudo cp ca.pem server-cert.pem server-key.pem /etc/docker/tls/
{
"tls": true,
"tlsverify": true,
"tlscacert": "/etc/docker/tls/ca.pem",
"tlscert": "/etc/docker/tls/server-cert.pem",
"tlskey": "/etc/docker/tls/server-key.pem",
"hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2376"]
}
docker --tlsverify \
--tlscacert=ca.pem \
--tlscert=cert.pem \
--tlskey=key.pem \
-H=tcp://docker-host:2376 version
# Restrict socket ownership
sudo chown root:docker /var/run/docker.sock
sudo chmod 660 /var/run/docker.sock
# Audit Docker socket access
sudo auditctl -w /var/run/docker.sock -k docker-socket
# Never mount Docker socket into containers
# BAD: docker run -v /var/run/docker.sock:/var/run/docker.sock ...
# Install rootless Docker
curl -fsSL https://get.docker.com/rootless | sh
# Configure environment
export PATH=$HOME/bin:$PATH
export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
# Start rootless daemon
systemctl --user start docker
systemctl --user enable docker
# Verify rootless mode
docker info | grep -i rootless
# Rootless: true
# Enable Docker Content Trust
export DOCKER_CONTENT_TRUST=1
# Pull only signed images
docker pull library/alpine:3.18
# Will fail if image is not signed
# Sign and push image
docker trust sign myregistry/myapp:1.0
# View default seccomp profile
docker info --format '{{.SecurityOptions}}'
# Use custom seccomp profile
docker run --security-opt seccomp=/etc/docker/seccomp/custom.json alpine
# Verify seccomp is enabled
docker inspect --format='{{.HostConfig.SecurityOpt}}' container_name
# Check AppArmor status
sudo aa-status
# Use custom AppArmor profile
docker run --security-opt apparmor=docker-custom alpine
# Load custom profile
sudo apparmor_parser -r /etc/apparmor.d/docker-custom
# Check daemon configuration
docker info
# Verify userns-remap
docker info --format '{{.SecurityOptions}}'
# Check ICC setting
docker network inspect bridge --format '{{.Options}}'
# Audit with Docker Bench
docker run --rm --net host --pid host \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /etc:/etc:ro \
docker/docker-bench-security
--tlsverify for remote access