Encourage security-awareness when using Docker

[fungs]

Pulling a Docker container means installing foreign code on your local machine. This means that malicious or defective programs can

• compromise your network if network access is given to the container
• compromise your data if file access is granted to the host system
• compromise your system by deploying security issues in the Docker/LXC design

This means that in the future we should follow best practices for Docker implementations when

• we call docker containers using docker run
• we provide code to run inside the container or provide base images

A recent list of suggestions is compiled at http://linux-audit.com/docker-security-best-practices-for-your-vessel-and-containers/

[michaelbarton]

Could you provide some examples of how we might encourage better security for users of bioboxes?

[fungs]

Could you provide some examples of how we might encourage better security for users of bioboxes?

Following the cited guidelines, one could for instance

1. give recommendations how to run and not to run containers,
2. restrict network access by default,
3. use a distinct UNIX user and group in the container and map that to the current user ID

Maybe these are not urgent at the moment, since the techniques are still emerging and we have still few users, but they should be considered alongside the development of the bioboxes command line tools (aka wrapper or caller).

[fungs]

Guidelines how to build secure Docker containers. https://youtu.be/LmUw2H6JgJo

As of version 1.10, there is a user mapping feature in Docker. This means, that the container root can be some other user on the host.