feat: Implement Docker security best practices

[hazzuk]

Prerequisites

• I have searched existing and closed feature requests

Proposal

Each existing stack needs to be reviewed for how they can best implement our list of Docker security best practices.

• glance
• gluetun
• godns
• jellyfin
• ntfy
• pocketid
• prowlarr
• qbittorrent:
  • qbittorrent
  • qui
• radarr
• seerr
• sonarr
• traefik:
  • traefik
  • tinyauth
  • cetusguard
• whoami

Motivation

Security is a vital part of why the karo-stack was originally developed. And whilst Docker running rootless solves a lot of problems, there are still security improvements that each stack should try to implement.

Context

The initial months of development work on the karo-stack left little time for additional security testing of each stack. Instead, it was vital to reach stability first, with confidence in a working version of each stack.

Now that has been achieved, the list of best practices should be applied to existing stacks. And if any issues are encountered, it might be a case of trial and error to figure out which security setting causes an issue.

Docker security best practices list

user: 1000:1000
# avoids running as root inside the container
# (not always respected, sometimes set via environment variables)

tty: false
stdin_open: false
# prevents attaching an interactive shell

read_only: true
# changes the container's file system to read-only
# (can't be applied to containers that use Docker secrets)

security_opt:
    - no-new-privileges:true
# reduces risk of privilege escalation post start-up

tmpfs:
- /tmp:rw,noexec,nosuid,nodev
# prevents executing binaries from /tmp
# reduces the risk of local privilege escalation

cap_drop:
    - ALL
# drops all linux capabilities from the container’s processes
# (containers that require capabilities can have them added back after this line)

Useful sources

• OWASP: Docker Security Cheat Sheet
• Reddit: Hardening Docker containers