TL;DR
To install Docker on Debian 13, update your package index and install Docker using the official Docker repository:
sudo apt update # Update package index.
sudo apt install -y ca-certificates curl gnupg # Install necessary packages.
## Add Docker's official GPG key.
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
## Set up the Docker repository.
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt update # Update package index again.
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin # Install Docker.
User Management
Add your user to the docker group to run Docker commands without sudo:
sudo usermod -aG docker alice # Replace 'alice' with your actual username.
Secure Docker Daemon
Configure Docker to use TLS for secure communication:
## /etc/docker/daemon.json
{
"tls": true,
"tlscacert": "/etc/docker/ssl/ca.pem",
"tlscert": "/etc/docker/ssl/server-cert.pem",
"tlskey": "/etc/docker/ssl/server-key.pem",
"tlsverify": true
}
Restart Docker to apply changes:
sudo systemctl restart docker # Restart Docker service.
**Security Warning:** Piping curl output directly to bash can be dangerous. Always review scripts before executing them.
Warning: Avoid Dangerous Commands
Avoid using curl | bash as it can execute unverified scripts:
## Dangerous: Avoid running unverified scripts.
## curl -fsSL https://example.com/install.sh | bash
Set Resource Limits
Limit container resources to prevent abuse:
docker run --name myapp --memory="256m" --cpus="1.0" nginx # Limit memory and CPU usage.
Regular Updates
Keep Docker and your system updated:
sudo apt update && sudo apt upgrade -y # Regularly update packages.
By following these best practices, you can enhance the security of Docker on your Debian 13 server.
1. Install Docker Securely
Before installing Docker, ensure your system is up-to-date to avoid compatibility issues.
sudo apt update && sudo apt upgrade -y # Update package lists and upgrade all packages.
Install Required Packages
Install necessary packages to allow apt to use repositories over HTTPS.
sudo apt install -y apt-transport-https ca-certificates curl gnupg lsb-release # Install dependencies.
Add Docker’s Official GPG Key
Add Docker’s GPG key to verify package authenticity.
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg # Add Docker's GPG key.
Set Up the Docker Repository
Add the Docker repository to your apt sources list.
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null # Add Docker repository.
Install Docker Engine
Update the package index and install Docker Engine.
sudo apt update # Update package index.
sudo apt install -y docker-ce docker-ce-cli containerd.io # Install Docker packages.
Verify Docker Installation
Check if Docker is installed correctly by running a test image.
sudo docker run hello-world # Run a test Docker container.
Configure Docker Daemon for Security
Create or modify the Docker daemon configuration file to enforce security best practices.
sudo mkdir -p /etc/docker # Ensure the Docker config directory exists.
echo '{
"icc": false, # Disable inter-container communication.
"userns-remap": "default" # Enable user namespace remapping.
}' | sudo tee /etc/docker/daemon.json > /dev/null # Write secure defaults to daemon.json.
Restart Docker
Apply the configuration changes by restarting Docker.
sudo systemctl restart docker # Restart Docker to apply changes.
Enable Docker to Start on Boot
Ensure Docker starts automatically after a reboot.
sudo systemctl enable docker # Enable Docker service on boot.
By following these steps, you ensure a secure Docker installation on your Debian 13 server, minimizing potential vulnerabilities.
2. Configure Docker Daemon
Configuring the Docker daemon securely is crucial for maintaining a robust security posture on your Debian 13 server. Follow these steps to ensure your Docker daemon is set up with security best practices.
Create a Docker Daemon Configuration File
First, create a JSON configuration file for the Docker daemon. This file will allow you to specify various security options.
sudo mkdir -p /etc/docker # Create the Docker configuration directory if it doesn't exist.
sudo nano /etc/docker/daemon.json # Open the configuration file in a text editor.
Add the following JSON configuration to the file:
{
"icc": false, # Disable inter-container communication.
"userns-remap": "default", # Enable user namespace remapping.
"no-new-privileges": true, # Prevent privilege escalation.
"log-level": "info", # Set log level to info for better visibility.
"log-driver": "json-file", # Use JSON file logging.
"log-opts": {
"max-size": "10m", # Limit log file size to 10MB.
"max-file": "3" # Retain a maximum of 3 log files.
}
}
Restart Docker Service
After saving the configuration file, restart the Docker service to apply the changes.
sudo systemctl restart docker # Restart Docker to apply new configurations.
Warning: Secure Socket Binding
Ensure Docker is not bound to a TCP socket without TLS. This can expose your Docker daemon to remote attacks.
## Check if Docker is bound to a TCP socket.
sudo netstat -tuln | grep docker
If you see Docker listening on a TCP port, update your /etc/docker/daemon.json to remove or secure the binding with TLS.
Verify Configuration
Finally, verify that the Docker daemon is running with the correct configuration.
docker info # Display Docker system-wide information.
Look for the applied settings in the output to confirm they are active. This ensures your Docker daemon is configured securely on Debian 13.
3. Implement User Namespace Remapping
User Namespace Remapping is a Docker feature that enhances security by mapping container user IDs to different host user IDs. This prevents containers from having root privileges on the host system.
Step 1: Configure Docker Daemon
First, modify the Docker daemon configuration to enable user namespace remapping. Edit the Docker configuration file:
sudo nano /etc/docker/daemon.json
Add the following JSON configuration to enable user namespace remapping:
{
"userns-remap": "default"
}
This setting uses the default user namespace remapping, which maps container users to a sub-user and sub-group on the host.
Step 2: Create Sub-User and Sub-Group
Docker automatically creates a sub-user and sub-group named dockremap when you use the default setting. Verify their existence:
getent passwd dockremap # Check if the dockremap user exists.
getent group dockremap # Check if the dockremap group exists.
If they do not exist, create them manually:
sudo adduser --system --no-create-home --group dockremap
Step 3: Restart Docker
After configuring the daemon, restart Docker to apply the changes:
sudo systemctl restart docker
Step 4: Verify User Namespace Remapping
To ensure that user namespace remapping is active, run a test container and inspect the user mapping:
docker run --rm -it debian:latest bash -c "id"
The output should show non-root user IDs, indicating that remapping is working.
Warning
Be cautious when modifying Docker’s configuration files. Incorrect settings can prevent Docker from starting. Always back up configuration files before making changes:
sudo cp /etc/docker/daemon.json /etc/docker/daemon.json.bak
User namespace remapping is a powerful security feature, but it may not be compatible with all applications. Test thoroughly in a development environment before deploying to production.
4. Use Docker Bench for Security
Docker Bench for Security is a script that checks for common best practices around deploying Docker containers in production. It is a useful tool to ensure your Docker setup adheres to security guidelines.
First, clone the Docker Bench for Security repository:
## Clone the Docker Bench for Security repository.
git clone https://github.com/docker/docker-bench-security.git
Navigate to the cloned directory:
## Change directory to docker-bench-security.
cd docker-bench-security
Run Docker Bench for Security
To run Docker Bench for Security, execute the following command:
## Run the Docker Bench for Security script.
sudo sh docker-bench-security.sh
This script will output a series of checks and their results, indicating whether your Docker setup meets security best practices.
Interpret the Results
The output will categorize checks into different sections such as Docker daemon configuration, container images, and container runtime. Each section will have a list of checks with a status of PASS, WARN, or INFO.
- PASS: The check has passed and no action is needed.
- WARN: The check has failed, and you should consider taking corrective action.
- INFO: The check provides additional information that may be useful.
Warning: Running Scripts with Elevated Privileges
Be cautious when running scripts with sudo as they have the potential to alter system configurations. Always review scripts from external sources before execution.
Regular Audits
It is advisable to run Docker Bench for Security regularly, especially after changes to your Docker configuration or updates to Docker itself. This ensures that your system remains compliant with the latest security standards.
By integrating Docker Bench for Security into your regular maintenance routine, you can significantly enhance the security posture of your Docker deployments on Debian 13.
5. Network Security and Firewall Rules
Securing the network layer is crucial for Docker containers running on Debian 13. Proper firewall configuration helps prevent unauthorized access and limits exposure to potential threats.
Configure UFW (Uncomplicated Firewall)
UFW is a user-friendly tool for managing iptables firewall rules. Begin by installing and enabling UFW:
sudo apt update && sudo apt install ufw -y # Install UFW.
sudo ufw enable # Enable UFW.
Set Default Policies
Set default policies to deny incoming traffic and allow outgoing traffic. This ensures that only explicitly allowed connections are permitted:
sudo ufw default deny incoming # Deny all incoming connections by default.
sudo ufw default allow outgoing # Allow all outgoing connections by default.
Allow SSH Connections
To maintain remote access, allow SSH connections:
sudo ufw allow ssh # Allow SSH on port 22.
Configure Docker-Specific Rules
Docker containers often require specific ports to be open. For example, if your Docker container runs a web server on port 8080, allow access to this port:
sudo ufw allow 8080/tcp # Allow HTTP traffic on port 8080.
Limit Access to Docker Daemon
By default, Docker listens on a Unix socket, which is more secure than TCP. If you must expose the Docker daemon via TCP, restrict access to trusted IPs:
## Warning: Exposing Docker daemon over TCP can be dangerous.
sudo ufw allow from 192.168.1.100 to any port 2375 # Allow access to Docker daemon from a specific IP.
Verify UFW Status
After configuring the rules, verify the UFW status to ensure the rules are correctly applied:
sudo ufw status verbose # Display detailed UFW status.
By following these steps, you ensure that your Docker containers on Debian 13 are protected by a robust network security configuration. Always review and update firewall rules as your network requirements evolve.
Related Guides
Securing Docker Containers on Debian Learn runtime container security, isolation techniques, and ongoing monitoring for Docker workloads
Rootless Docker Deployment for Safer Workloads Set up Docker without root privileges for enhanced security and reduced attack surface
Container Security Scanning with Trivy and Harbor Implement automated vulnerability scanning for container images with Trivy and Harbor registry
Restricting Container Capabilities with Seccomp Profiles Use seccomp profiles to limit system calls and reduce container attack surface
Container Image Hardening with Distroless Images Build minimal container images without unnecessary packages to reduce vulnerabilities
Setting Up UFW and Fail2ban on Debian Configure firewall rules and intrusion prevention for Docker host security
Verification
To ensure Docker is installed correctly, check the Docker version and run a test container.
docker --version # Check the installed Docker version.
Run a simple test container to verify Docker’s functionality:
docker run hello-world # Pull and run the 'hello-world' test container.
Check Docker Service Status
Verify that the Docker service is active and running:
sudo systemctl status docker # Check the status of the Docker service.
Look for “active (running)” in the output to confirm the service is operational.
Validate Docker Security Configuration
Verify User Group Membership
Ensure that only trusted users are part of the docker group, as this grants root-level access to the Docker daemon.
getent group docker # List users in the 'docker' group.
Remove any unauthorized users from the group:
sudo gpasswd -d unauthorized_user docker # Remove 'unauthorized_user' from the 'docker' group.
Check Docker Daemon Configuration
Review the Docker daemon configuration file for security settings:
cat /etc/docker/daemon.json # Display the Docker daemon configuration.
Ensure the file contains secure settings, such as enabling user namespaces:
{
"userns-remap": "default" # Enable user namespace remapping for added security.
}
Validate Container Security
Inspect Running Containers
Review running containers for security compliance:
docker ps --format "{{.Names}}: {{.Image}}" # List running containers with their images.
Ensure containers are running with minimal privileges. For example, check if a container is running with the --cap-drop flag:
docker inspect myapp --format '{{.HostConfig.CapDrop}}' # Check dropped capabilities for 'myapp'.
Warning: Dangerous Commands
Avoid using commands that can compromise security, such as:
## Do not use this command unless absolutely necessary and you understand the risks.
docker run --rm -v /:/host debian:latest rm -rf /host/etc/nginx # Deletes the nginx directory on the host.
Always review and understand the implications of such commands before execution.
