Docker security in guides

[wonderdogone]

In the docker guides(https://nodejs.org/en/docs/guides/nodejs-docker-webapp/) we show how to make a basic Dockerfile and run apps in a container using docker.This is great because containers are becoming more of a regular workflow. That said, in most cases it's not a good idea to run the containerized app as root because of security issues with the app actually having that same access to it's host. Threads have been going in relation to this topic in other groups .
see nodejs/docker-node#1
and here is the official Docker input on this
https://docs.docker.com/engine/articles/dockerfile_best-practices/#user

So should we make this aware on the Docker guide page to at least just to spread best practice. A sample Dockerfile that makes a "node" user and group and runs app as user "node"

FROM node:argon

ENV user node
RUN groupadd -r $user && useradd -r -g $user $user

# Create app directory
RUN mkdir -p /$user/src/app
WORKDIR /$user/src/app

# Install app dependencies
COPY package.json /$user/src/app/
RUN npm install

# Bundle app source
COPY . /$user/src/app

RUN chown -R $user:$user /$user/src/app/
USER $user

EXPOSE 8080
CMD [ "npm", "start" ]

[fhemberger]

I'm really +:100: on this, cc'ing @nodejs/docker for a review

[Starefossen]

I thought about this for a while when I wrote the guide, and we have had extensible discussions within the @nodejs/docker Working Group on similar topics nodejs/docker-iojs#23 nodejs/docker-iojs#26 nodejs/docker-node#1

Just so we are on the same page; yes you should never ever run your Docker containers as root in production!

There are some other considerations though. The first is the intended audience of the guide. Is this people who are new to Docker and Node or those who want to deploy their Node.js applications to production using Docker? We don't want to make the guide too complicated by adding too many steps.

The second is that, and this is mentioned in the linked issues, when running as a user you can access mounted volumes inside your container which is a popular use case when developing using Docker containers. Production deployments should not use volumes for many reasons, immutability, security and performance to name a few.

My gut tels me too keep the guide simple and easy to follow, and maybe make a second one for best practices deploying Node.js application to production using Docker?

[fhemberger]

Second guide a la "Best practices running Node.js on Docker in production" sounds good as well. But we should add a note to the existing one that this guide is intended for getting started and development only and it should not be used for production.

Most devops tutorials only cover the "getting started" part (or the other far end of the range "how to set up your 100+ node datacenter on AWS") and lack topics like security, because people "just know what to do". Which isn't the case quite often and makes it hard for beginners.

[Starefossen]

Second guide a la "Best practices running Node.js on Docker in production" sounds good as well. But we should add a note to the existing one that this guide is intended for getting started and development only and it should not be used for production.

Agreed.

Most devops tutorials only cover the "getting started" part (or the other far end of the range "how to set up your 100+ node datacenter on AWS") and lack topics like security, because people "just know what to do". Which isn't the case quite often and makes it hard for beginners.

This is a common pitfall. Lets make sure we cover both 😄

[Starefossen]

I have proposed #456 to clarity the purpose of the original Docker Guide. I will see if I find the time to draft a new guide for production deployments.

[wonderdogone]

ok so another more in depth "second guide" I suppose it's not really node.js responsibility to tutorial on docker but they do go hand in hand so well it kind of makes sense. If another guide will come about I have some topics I would be happy to write up. as I know it's hard to find "real" working docker production cases.

[retrohacker]

I agree there is a need here, especially since there are some cases you run into with Node.js that you don't with other images (SIGINT not being handled the same for example). I'd be willing to toss my hat in the ring for this.

I'll try to have a draft this week @Starefossen.

[retrohacker]

So I took a pass at this, and it ended up spelling out the logic put forward here: https://github.com/docker/docker-bench-security

Perhaps we should just link to the docker bench security project?

There was also an awesome comment from @Starefossen that I dug up here: nodejs/docker-node#36 (comment)

These two together could be enough to get us started.

[retrohacker]

It would look something like this:

Docker and Node.js Best Practices

Environment Variables

Run with NODE_ENV set to production. This is the way you would pass inn secrets and other runtime configurations to your application as well.

-e "NODE_ENV=production"

Non-root User

By default Docker runs container as root which inside of the container can pose as a security issue. You would want to run the container as an unprivileged user wherever possible. This is however not supported out of the box with the node Docker image.

FROM node:4.1.2
# Add our user and group first to make sure their IDs get assigned consistently
RUN groupadd -r app && useradd -r -g app app 

This Docker Image can than be run with the app user in the following way:

-u "app"

Memory

By default any Docker Container may consume as much of the hardware such as CPU and RAM. If you are running multiple containers on the same host you should limit how much memory they can consume.

-m "300M" --memory-swap "1G"

CMD

When creating an image, you can bypass the package.json's start command and bake it directly into the image itself. This reduces the number of processes running inside of your container.

CMD ["node","index.js"]

Docker Run

Here is an example of how you would run a default Node.JS Docker Containerized application:

$ docker run \
  -e "NODE_ENV=production" \
  -u "app" \
  -m "300M" --memory-swap "1G" \
  -w "/usr/src/app" \
  --name "my-nodejs-app" \
  node [script]

Security

The Docker team has provided a tool to analyze your running containers for potential security issues. You can download and run this tool from here: https://github.com/docker/docker-bench-security