Compose-it.top

Docker Compose Security Best Practices

Security is a critical aspect of containerized applications. This guide covers essential security practices for Docker Compose.

Basic Security Configuration

services:
  app:
    image: myapp:latest
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid
    secrets:
      - db_password
    environment:
      - SECRET_KEY=${SECRET_KEY}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3

secrets:
  db_password:
    file: ./secrets/db_password.txt

Docker Compose 3.x Features

  1. Extended Security Configuration
    services:
  app:
    security_opt:
      - no-new-privileges:true
      - apparmor:unconfined
    cap_drop:
      - ALL
    cap_add:
      - ${REQUIRED_CAPS:-NET_BIND_SERVICE}
  2. Conditional Security
    services:
  app:
    security_opt:
      - no-new-privileges:${NO_NEW_PRIVILEGES:-true}
    profiles:
      - secure
  3. Security Templates
    services:
  app:
    security_opt:
      - no-new-privileges:${NO_NEW_PRIVILEGES_${SERVICE_NAME:-app}:-true}
    cap_drop:
      - ${DROP_CAPS_${SERVICE_NAME:-app}:-ALL}

Security Areas

  1. Container Isolation
    services:
  app:
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid
  2. Network Security
    services:
  app:
    networks:
      - internal_network
    dns:
      - 8.8.8.8
    dns_search: []
    extra_hosts: []

networks:
  internal_network:
    internal: true
    driver: bridge
  3. Secrets Management
    services:
  app:
    secrets:
      - db_password
      - api_key
    environment:
      - DB_PASSWORD_FILE=/run/secrets/db_password
      - API_KEY_FILE=/run/secrets/api_key

secrets:
  db_password:
    file: ./secrets/db_password.txt
  api_key:
    external: true

Docker Swarm Mode Considerations

  1. Service Security
    services:
  app:
    deploy:
      mode: replicated
      replicas: 3
      update_config:
        failure_action: rollback
      restart_policy:
        condition: on-failure
      placement:
        constraints:
          - node.role == manager
  2. Secret Management
    services:
  app:
    secrets:
      - source: db_password
        target: db_password
        mode: 0440
      - source: api_key
        target: api_key
        mode: 0440
  3. Network Security
    services:
  app:
    deploy:
      endpoint_mode: dnsrr
      update_config:
        order: start-first
      networks:
        - secure_network

Common Security Patterns

1. Container Hardening

services:
  app:
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid
    ulimits:
      nofile:
        soft: 65535
        hard: 65535

2. Network Isolation

services:
  app:
    networks:
      - internal_network
    dns:
      - 8.8.8.8
    dns_search: []
    extra_hosts: []

networks:
  internal_network:
    internal: true
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "false"

3. Secrets Management

services:
  app:
    secrets:
      - source: db_password
        target: db_password
        mode: 0440
      - source: api_key
        target: api_key
        mode: 0440
    environment:
      - DB_PASSWORD_FILE=/run/secrets/db_password
      - API_KEY_FILE=/run/secrets/api_key

secrets:
  db_password:
    file: ./secrets/db_password.txt
  api_key:
    external: true

Best Practices

  1. Container Security
    • Use minimal base images
    • Drop unnecessary capabilities
    • Implement read-only filesystems
    • Use tmpfs for temporary data
    • Implement container health checks
  2. Network Security
    • Use internal networks
    • Implement network policies
    • Use secure DNS servers
    • Disable inter-container communication
    • Implement network segmentation
  3. Secrets Management
    • Use Docker secrets
    • Implement proper file permissions
    • Use external secrets
    • Rotate secrets regularly
    • Monitor secret access
  4. Access Control
    • Implement least privilege
    • Use security profiles
    • Monitor container access
    • Implement audit logging
    • Use secure defaults

Security Monitoring

1. Container Security

# Check container security
docker compose ps

# Inspect container security
docker compose inspect app

# Check container logs
docker compose logs --tail=100

2. Network Security

# Check network security
docker network ls

# Inspect network security
docker network inspect internal_network

# Monitor network traffic
docker compose exec app netstat -tulpn

3. Secrets Management

# Check secrets
docker secret ls

# Inspect secrets
docker secret inspect db_password

# Monitor secret access
docker compose logs --tail=100

Advanced Security Features

1. Container Hardening

services:
  app:
    security_opt:
      - no-new-privileges:true
      - apparmor:unconfined
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    read_only: true
    tmpfs:
      - /tmp:rw,noexec,nosuid
    ulimits:
      nofile:
        soft: 65535
        hard: 65535

2. Network Security

services:
  app:
    networks:
      - secure_network
    dns:
      - 8.8.8.8
    dns_search: []
    extra_hosts: []

networks:
  secure_network:
    internal: true
    driver: bridge
    driver_opts:
      com.docker.network.bridge.enable_icc: "false"
      com.docker.network.bridge.enable_ip_masquerade: "true"

3. Secrets Management

services:
  app:
    secrets:
      - source: db_password
        target: db_password
        mode: 0440
      - source: api_key
        target: api_key
        mode: 0440
    environment:
      - DB_PASSWORD_FILE=/run/secrets/db_password
      - API_KEY_FILE=/run/secrets/api_key

secrets:
  db_password:
    file: ./secrets/db_password.txt
  api_key:
    external: true

Troubleshooting

  1. Security Issues
    # Check container security
docker compose ps

# Inspect container security
docker compose inspect app

# Check container logs
docker compose logs --tail=100
  2. Network Problems
    # Check network security
docker network ls

# Inspect network security
docker network inspect internal_network

# Monitor network traffic
docker compose exec app netstat -tulpn
  3. Secrets Management
    # Check secrets
docker secret ls

# Inspect secrets
docker secret inspect db_password

# Monitor secret access
docker compose logs --tail=100

Integration with Security Tools

  1. Container Security
    • Docker Bench Security
    • Clair
    • Anchore
    • Trivy
    • Snyk
  2. Network Security
    • Calico
    • Cilium
    • Weave Net
    • Flannel
    • Project Calico
  3. Secrets Management
    • HashiCorp Vault
    • AWS Secrets Manager
    • Azure Key Vault
    • Google Secret Manager
    • CyberArk
  4. Security Monitoring
    • Falco
    • Sysdig
    • Aqua Security
    • Twistlock
    • NeuVector

Remember to regularly review and update your security configurations based on the latest security best practices and requirements. Implement a comprehensive security strategy and continuously monitor your Docker Compose setup for potential security issues.

© 2025 Compose-it. All rights reserved.

Docker are registered trademarks of Docker, Inc. in the United States and/or other countries. The tool 'compose-it' is not affiliated with, endorsed by, or sponsored by Docker, Inc.