TL;DR

To install Docker on Debian 13, update your package index and install Docker using the official Docker repository:

sudo apt update  # Update package index.
sudo apt install -y ca-certificates curl gnupg  # Install necessary packages.

## Add Docker's official GPG key.
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

## Set up the Docker repository.
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update  # Update package index again.
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin  # Install Docker.

User Management

Add your user to the docker group to run Docker commands without sudo:

sudo usermod -aG docker alice  # Replace 'alice' with your actual username.

Secure Docker Daemon

Configure Docker to use TLS for secure communication:

## /etc/docker/daemon.json
{
  "tls": true,
  "tlscacert": "/etc/docker/ssl/ca.pem",
  "tlscert": "/etc/docker/ssl/server-cert.pem",
  "tlskey": "/etc/docker/ssl/server-key.pem",
  "tlsverify": true
}

Restart Docker to apply changes:

sudo systemctl restart docker  # Restart Docker service.

**Security Warning:** Piping curl output directly to bash can be dangerous. Always review scripts before executing them.

Warning: Avoid Dangerous Commands

Avoid using curl | bash as it can execute unverified scripts:

## Dangerous: Avoid running unverified scripts.
## curl -fsSL https://example.com/install.sh | bash

Set Resource Limits

Limit container resources to prevent abuse:

docker run --name myapp --memory="256m" --cpus="1.0" nginx  # Limit memory and CPU usage.

Regular Updates

Keep Docker and your system updated:

sudo apt update && sudo apt upgrade -y  # Regularly update packages.

By following these best practices, you can enhance the security of Docker on your Debian 13 server.

1. Install Docker Securely

Before installing Docker, ensure your system is up-to-date to avoid compatibility issues.

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade all packages.

Install Required Packages

Install necessary packages to allow apt to use repositories over HTTPS.

sudo apt install -y apt-transport-https ca-certificates curl gnupg lsb-release  # Install dependencies.

Add Docker’s Official GPG Key

Add Docker’s GPG key to verify package authenticity.

curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg  # Add Docker's GPG key.

Set Up the Docker Repository

Add the Docker repository to your apt sources list.

echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null  # Add Docker repository.

Install Docker Engine

Update the package index and install Docker Engine.

sudo apt update  # Update package index.
sudo apt install -y docker-ce docker-ce-cli containerd.io  # Install Docker packages.

Verify Docker Installation

Check if Docker is installed correctly by running a test image.

sudo docker run hello-world  # Run a test Docker container.

Configure Docker Daemon for Security

Create or modify the Docker daemon configuration file to enforce security best practices.

sudo mkdir -p /etc/docker  # Ensure the Docker config directory exists.
echo '{
  "icc": false,  # Disable inter-container communication.
  "userns-remap": "default"  # Enable user namespace remapping.
}' | sudo tee /etc/docker/daemon.json > /dev/null  # Write secure defaults to daemon.json.

Restart Docker

Apply the configuration changes by restarting Docker.

sudo systemctl restart docker  # Restart Docker to apply changes.

Enable Docker to Start on Boot

Ensure Docker starts automatically after a reboot.

sudo systemctl enable docker  # Enable Docker service on boot.

By following these steps, you ensure a secure Docker installation on your Debian 13 server, minimizing potential vulnerabilities.

2. Configure Docker Daemon

Configuring the Docker daemon securely is crucial for maintaining a robust security posture on your Debian 13 server. Follow these steps to ensure your Docker daemon is set up with security best practices.

Create a Docker Daemon Configuration File

First, create a JSON configuration file for the Docker daemon. This file will allow you to specify various security options.

sudo mkdir -p /etc/docker  # Create the Docker configuration directory if it doesn't exist.
sudo nano /etc/docker/daemon.json  # Open the configuration file in a text editor.

Add the following JSON configuration to the file:

{
  "icc": false,  # Disable inter-container communication.
  "userns-remap": "default",  # Enable user namespace remapping.
  "no-new-privileges": true,  # Prevent privilege escalation.
  "log-level": "info",  # Set log level to info for better visibility.
  "log-driver": "json-file",  # Use JSON file logging.
  "log-opts": {
    "max-size": "10m",  # Limit log file size to 10MB.
    "max-file": "3"  # Retain a maximum of 3 log files.
  }
}

Restart Docker Service

After saving the configuration file, restart the Docker service to apply the changes.

sudo systemctl restart docker  # Restart Docker to apply new configurations.

Warning: Secure Socket Binding

Ensure Docker is not bound to a TCP socket without TLS. This can expose your Docker daemon to remote attacks.

## Check if Docker is bound to a TCP socket.
sudo netstat -tuln | grep docker

If you see Docker listening on a TCP port, update your /etc/docker/daemon.json to remove or secure the binding with TLS.

Verify Configuration

Finally, verify that the Docker daemon is running with the correct configuration.

docker info  # Display Docker system-wide information.

Look for the applied settings in the output to confirm they are active. This ensures your Docker daemon is configured securely on Debian 13.

3. Implement User Namespace Remapping

User Namespace Remapping is a Docker feature that enhances security by mapping container user IDs to different host user IDs. This prevents containers from having root privileges on the host system.

Step 1: Configure Docker Daemon

First, modify the Docker daemon configuration to enable user namespace remapping. Edit the Docker configuration file:

sudo nano /etc/docker/daemon.json

Add the following JSON configuration to enable user namespace remapping:

{
  "userns-remap": "default"
}

This setting uses the default user namespace remapping, which maps container users to a sub-user and sub-group on the host.

Step 2: Create Sub-User and Sub-Group

Docker automatically creates a sub-user and sub-group named dockremap when you use the default setting. Verify their existence:

getent passwd dockremap  # Check if the dockremap user exists.
getent group dockremap   # Check if the dockremap group exists.

If they do not exist, create them manually:

sudo adduser --system --no-create-home --group dockremap

Step 3: Restart Docker

After configuring the daemon, restart Docker to apply the changes:

sudo systemctl restart docker

Step 4: Verify User Namespace Remapping

To ensure that user namespace remapping is active, run a test container and inspect the user mapping:

docker run --rm -it debian:latest bash -c "id"

The output should show non-root user IDs, indicating that remapping is working.

Warning

Be cautious when modifying Docker’s configuration files. Incorrect settings can prevent Docker from starting. Always back up configuration files before making changes:

sudo cp /etc/docker/daemon.json /etc/docker/daemon.json.bak

User namespace remapping is a powerful security feature, but it may not be compatible with all applications. Test thoroughly in a development environment before deploying to production.

4. Use Docker Bench for Security

Docker Bench for Security is a script that checks for common best practices around deploying Docker containers in production. It is a useful tool to ensure your Docker setup adheres to security guidelines.

First, clone the Docker Bench for Security repository:

## Clone the Docker Bench for Security repository.
git clone https://github.com/docker/docker-bench-security.git

Navigate to the cloned directory:

## Change directory to docker-bench-security.
cd docker-bench-security

Run Docker Bench for Security

To run Docker Bench for Security, execute the following command:

## Run the Docker Bench for Security script.
sudo sh docker-bench-security.sh

This script will output a series of checks and their results, indicating whether your Docker setup meets security best practices.

Interpret the Results

The output will categorize checks into different sections such as Docker daemon configuration, container images, and container runtime. Each section will have a list of checks with a status of PASS, WARN, or INFO.

  • PASS: The check has passed and no action is needed.
  • WARN: The check has failed, and you should consider taking corrective action.
  • INFO: The check provides additional information that may be useful.

Warning: Running Scripts with Elevated Privileges

Be cautious when running scripts with sudo as they have the potential to alter system configurations. Always review scripts from external sources before execution.

Regular Audits

It is advisable to run Docker Bench for Security regularly, especially after changes to your Docker configuration or updates to Docker itself. This ensures that your system remains compliant with the latest security standards.

By integrating Docker Bench for Security into your regular maintenance routine, you can significantly enhance the security posture of your Docker deployments on Debian 13.

5. Network Security and Firewall Rules

Securing the network layer is crucial for Docker containers running on Debian 13. Proper firewall configuration helps prevent unauthorized access and limits exposure to potential threats.

Configure UFW (Uncomplicated Firewall)

UFW is a user-friendly tool for managing iptables firewall rules. Begin by installing and enabling UFW:

sudo apt update && sudo apt install ufw -y  # Install UFW.
sudo ufw enable                            # Enable UFW.

Set Default Policies

Set default policies to deny incoming traffic and allow outgoing traffic. This ensures that only explicitly allowed connections are permitted:

sudo ufw default deny incoming  # Deny all incoming connections by default.
sudo ufw default allow outgoing # Allow all outgoing connections by default.

Allow SSH Connections

To maintain remote access, allow SSH connections:

sudo ufw allow ssh  # Allow SSH on port 22.

Configure Docker-Specific Rules

Docker containers often require specific ports to be open. For example, if your Docker container runs a web server on port 8080, allow access to this port:

sudo ufw allow 8080/tcp  # Allow HTTP traffic on port 8080.

Limit Access to Docker Daemon

By default, Docker listens on a Unix socket, which is more secure than TCP. If you must expose the Docker daemon via TCP, restrict access to trusted IPs:

## Warning: Exposing Docker daemon over TCP can be dangerous.
sudo ufw allow from 192.168.1.100 to any port 2375  # Allow access to Docker daemon from a specific IP.

Verify UFW Status

After configuring the rules, verify the UFW status to ensure the rules are correctly applied:

sudo ufw status verbose  # Display detailed UFW status.

By following these steps, you ensure that your Docker containers on Debian 13 are protected by a robust network security configuration. Always review and update firewall rules as your network requirements evolve.

  • Securing Docker Containers on Debian Learn runtime container security, isolation techniques, and ongoing monitoring for Docker workloads

  • Rootless Docker Deployment for Safer Workloads Set up Docker without root privileges for enhanced security and reduced attack surface

  • Container Security Scanning with Trivy and Harbor Implement automated vulnerability scanning for container images with Trivy and Harbor registry

  • Restricting Container Capabilities with Seccomp Profiles Use seccomp profiles to limit system calls and reduce container attack surface

  • Container Image Hardening with Distroless Images Build minimal container images without unnecessary packages to reduce vulnerabilities

  • Setting Up UFW and Fail2ban on Debian Configure firewall rules and intrusion prevention for Docker host security

Verification

To ensure Docker is installed correctly, check the Docker version and run a test container.

docker --version  # Check the installed Docker version.

Run a simple test container to verify Docker’s functionality:

docker run hello-world  # Pull and run the 'hello-world' test container.

Check Docker Service Status

Verify that the Docker service is active and running:

sudo systemctl status docker  # Check the status of the Docker service.

Look for “active (running)” in the output to confirm the service is operational.

Validate Docker Security Configuration

Verify User Group Membership

Ensure that only trusted users are part of the docker group, as this grants root-level access to the Docker daemon.

getent group docker  # List users in the 'docker' group.

Remove any unauthorized users from the group:

sudo gpasswd -d unauthorized_user docker  # Remove 'unauthorized_user' from the 'docker' group.

Check Docker Daemon Configuration

Review the Docker daemon configuration file for security settings:

cat /etc/docker/daemon.json  # Display the Docker daemon configuration.

Ensure the file contains secure settings, such as enabling user namespaces:

{
  "userns-remap": "default"  # Enable user namespace remapping for added security.
}

Validate Container Security

Inspect Running Containers

Review running containers for security compliance:

docker ps --format "{{.Names}}: {{.Image}}"  # List running containers with their images.

Ensure containers are running with minimal privileges. For example, check if a container is running with the --cap-drop flag:

docker inspect myapp --format '{{.HostConfig.CapDrop}}'  # Check dropped capabilities for 'myapp'.

Warning: Dangerous Commands

Avoid using commands that can compromise security, such as:

## Do not use this command unless absolutely necessary and you understand the risks.
docker run --rm -v /:/host debian:latest rm -rf /host/etc/nginx  # Deletes the nginx directory on the host.

Always review and understand the implications of such commands before execution.