The Clock is Ticking: Container Security Before May 25th
It is April 2018. We are less than a month away from the GDPR enforcement deadline. If you are still running your production containers with --privileged flags or, god forbid, as root inside the container, you aren't just risking a hack; you are risking the wrath of Datatilsynet (The Norwegian Data Protection Authority). I've seen too many docker-compose.yml files that look like suicide notes for infrastructure.
Containerization has revolutionized how we ship code, but it has also made us lazy. We pull random images from Docker Hub, slap them onto a host, and pray. In a post-Spectre/Meltdown world, shared kernel isolation is not enough. You need defense in depth.
Here is how to lock down your container stack effectively, assuming you actually care about your data integrity and latency.
1. The "Root" of All Evil
By default, Docker containers run as root. If an attacker manages to break out of the container (which, given the recent kernel vulnerabilities, is not impossible), they have root access to your host. This is game over.
Stop writing Dockerfiles that end after the COPY command. Create a specific user.
The Wrong Way (2018 Standard):
FROM node:8-alpine
WORKDIR /app
COPY . .
CMD ["npm", "start"]The Battle-Hardened Way:
Explicitly create a user and switch to it. Here is how I do it for a standard Node.js microservice running on Alpine 3.7:
FROM node:9.11-alpine
# Create a group and user
RUN addgroup -S appgroup && adduser -S -G appgroup appuser
WORKDIR /app
# Ensure permissions are correct
COPY package.json .
RUN npm install --production
COPY . .
RUN chown -R appuser:appgroup /app
# Drop privileges
USER appuser
CMD ["node", "index.js"]2. The Spectre/Meltdown Reality Check
In January, the world woke up to Spectre and Meltdown. These hardware vulnerabilities proved that memory isolation between processes—and by extension, containers sharing a kernel—is not absolute. If you are hosting your containers on a budget provider using OpenVZ or LXC, you are sharing the host kernel with every other customer on that physical box. That is a security nightmare.
Pro Tip: True isolation requires Hardware Virtualization. This is why at CoolVDS, we strictly use KVM (Kernel-based Virtual Machine). Even if a neighbor's container gets compromised, your KVM instance has its own kernel, acting as a hard firewall against memory snooping attacks. Do not compromise on virtualization type in 2018.
3. Controlling Resource Greed
A compromised container or a buggy loop can consume 100% of your CPU, starving critical system processes (like SSHD). I've debugging servers where I couldn't even log in because a rogue container ate all the cycles.
Docker provides cgroup limits. Use them. Never deploy without limits.
docker run -d --name risky-app \
--memory="512m" \
--memory-swap="1g" \
--cpus="1.0" \
nginx:1.13-alpineThis ensures that risky-app never takes more than 1 CPU core or 512MB RAM. If you are running high-performance workloads, relying on these software limits is good, but having dedicated resources at the VPS level is better. CoolVDS NVMe instances guarantee your I/O isn't stolen by a neighbor running a crypto miner.
4. Network Segmentation
The default docker0 bridge allows all containers to talk to each other. Your frontend web server shouldn't be able to ping your internal Redis cache unless explicitly allowed. This is basic network hygiene.
Create dedicated user-defined bridges:
# Create a backend network
docker network create --driver bridge --subnet 172.20.0.0/16 backend_net
# Run Redis only on this network
docker run -d --name redis --net backend_net redis:4.0-alpine
# Run API with access to backend
docker run -d --name api --net backend_net my-api:latest5. Read-Only Filesystems
If your application is stateless (which it should be), it has no business writing to the filesystem. Making the root filesystem read-only prevents an attacker from downloading payloads or modifying binaries.
docker run --read-only \
--tmpfs /run \
--tmpfs /tmp \
-v /var/log/app:/var/log/app:rw \
my-stateless-appThis forces you to be disciplined about where data is written. Logs go to a volume, temp files go to tmpfs, and the rest is immutable.
Comparison: Shared Kernel vs. KVM Hosting
| Feature | OpenVZ / LXC (Cheap VPS) | KVM (CoolVDS Standard) |
|---|---|---|
| Kernel Isolation | Shared (High Risk) | Dedicated (High Security) |
| Meltdown Mitigation | Host dependent | Guest OS patchable |
| Docker Compatibility | Limited (often older kernels) | Full (Run latest Docker CE) |
| Performance Stability | Noisy Neighbors affect you | Dedicated Resources |
The Norwegian Context: Latency and Laws
Security isn't just about hackers; it's about availability and compliance. Hosting your data outside the EEA creates a mountain of legal paperwork under the new GDPR rules. By keeping your infrastructure in Norway (or strict EU jurisdictions), you simplify compliance.
Furthermore, latency matters. If your customer base is in Oslo or Bergen, routing traffic through a budget host in Frankfurt adds unnecessary milliseconds. Our tests show that a local CoolVDS instance reduces TTFB (Time To First Byte) by approx 20-30ms compared to central European hubs. In the world of high-frequency trading or real-time APIs, that is an eternity.
Final Thoughts
The days of "move fast and break things" are ending. With GDPR looming, we have to "move fast and secure things." Containers are powerful, but they are not magic security boxes. They require configuration, discipline, and the right underlying infrastructure.
Don't build a fortress on a swamp. Start with a solid foundation. Deploy your hardened Docker stack on a CoolVDS KVM instance today and get the dedicated performance you actually pay for.