Docker Security Best Practices for Your Homelab

Why Docker Security Matters

Even in a homelab environment, security should be a priority. Misconfigured containers can expose your entire network to vulnerabilities. This guide covers essential Docker security practices.

1. Use Read-Only Filesystems

Run containers with read-only root filesystems where possible:

docker run -it --read-only nginx

In docker-compose:

services:
  nginx:
    image: nginx:latest
    read_only: true
    volumes:
      - /tmp
      - /var/cache/nginx

2. Drop Unnecessary Capabilities

By default, Docker containers have many Linux capabilities. Drop unnecessary ones:

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE nginx

In compose:

services:
  app:
    image: myapp:latest
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE

3. Don’t Run as Root

Create a non-root user in your Dockerfile:

FROM ubuntu:latest

RUN groupadd -r appuser && useradd -r -g appuser appuser
COPY --chown=appuser:appuser app /app

USER appuser
ENTRYPOINT ["/app/start.sh"]

4. Resource Limits

Prevent container resource exhaustion:

docker run -m 512m --cpus="1.5" myapp:latest

In compose:

services:
  database:
    image: postgres:latest
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 2G
        reservations:
          cpus: '1'
          memory: 1G

5. Use Health Checks

Configure health checks for automatic restart:

HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
  CMD curl -f http://localhost:8080/health || exit 1

6. Image Scanning

Scan images for vulnerabilities:

# Using Trivy
trivy image myapp:latest

# Using Grype
grype myapp:latest

7. Secrets Management

Never hardcode secrets in images or compose files:

# Using docker secrets (swarm mode)
echo "mypassword" | docker secret create db_password -

# Using .env files (local development)
docker run --env-file .env myapp:latest

For more robust solutions, use:

• HashiCorp Vault
• Docker Swarm Secrets
• Kubernetes Secrets

8. Network Isolation

Use custom networks instead of the default bridge:

services:
  web:
    image: nginx:latest
    networks:
      - frontend
  
  db:
    image: postgres:latest
    networks:
      - backend

networks:
  frontend:
    driver: bridge
  backend:
    driver: bridge

9. Keep Images Updated

Regularly update base images and dependencies:

# Schedule regular pulls
docker pull myapp:latest
docker compose pull && docker compose up -d

10. Use Content Trust

Enable Docker Content Trust to verify image signatures:

export DOCKER_CONTENT_TRUST=1
docker push myrepo/myapp:latest

Security Scanning Tools

• Trivy: Fast vulnerability scanner
• Grype: Another comprehensive scanner
• Anchore: More advanced scanning and policy enforcement
• Snyk: Developer-focused security tool

Checklist

• All containers run as non-root
• Unnecessary capabilities are dropped
• Resource limits are defined
• Health checks are configured
• No secrets in images
• Images are regularly scanned
• Base images are kept up-to-date
• Network segmentation is in place

Conclusion

Security is an ongoing process. Implement these practices incrementally and build a security-conscious approach to container deployments in your homelab.

Further Reading

• Docker Security Documentation
• CIS Docker Benchmark
• NIST Container Security Guide