Docker Techniques for Production Containers

Basic Docker skills only takes you so far in production environments. This post covers some lesser known Docker techniques.

SSH Agent Forwarding with Buildx

When working with private repositories during builds, you often need SSH authentication. Instead of embedding credentials (a security risk), you can forward your SSH agent connection directly to the Docker build process:

# Forward SSH agent connection to Docker build
RUN --mount=type=ssh git clone git@github.com:private/repo.git

Build your image with:

docker build --ssh default=$SSH_AUTH_SOCK .

Fine-Tuning Container Capabilities

Running containers in privileged mode is dangerous, but some applications need additional capabilities. Instead of full privileged mode, grant only the specific capabilities required:

docker run --cap-add SYS_ADMIN --security-opt apparmor=unconfined mycontainer

DNS Optimization for High-Volume Services

Containers in high-traffic environments can benefit from DNS tuning. For services that need quick failover if DNS resolution fails:

docker run --dns-opt timeout:1 --dns-opt attempts:5 --dns 10.0.0.2 myapp

Distroless Builds for Minimal Attack Surface

Consider distroless containers, which contain only your application and its runtime dependencies:

FROM golang:1 AS builder
WORKDIR /app
COPY . .
RUN go build -o myapp

FROM gcr.io/distroless/static
COPY --from=builder /app/myapp /
CMD ["/myapp"]

Distroless containers eliminate package managers, shells, and other utilities that could be exploited, significantly reducing your attack surface.

Hardening Containers with Security Profiles

Custom seccomp profiles allow you to restrict which syscalls your container can make:

docker run --security-opt seccomp=/path/to/custom-seccomp.json myapp

You can also integrate this into docker-compose:

services:
  api:
    # ... other config ...
    security_opt:
      - seccomp:custom-seccomp.json
      - no-new-privileges:true

A carefully crafted seccomp profile provides defense-in-depth by limiting what processes inside your container can do at the kernel level.

Network Isolation During Builds

For maximum security during builds, especially for public images, consider completely disabling network access:

docker build --network=none .

Secure Handling of Build Secrets

BuildKit offers a secure way to use secrets during build without embedding them in layers:

RUN --mount=type=secret,id=mysecret cat /run/secrets/mysecret

Use it when building:

docker build --secret id=mysecret,src=./secret.txt .

Dynamic Builds with Build Arguments

Make your builds flexible with build-time arguments:

ARG VERSION=latest
FROM base:${VERSION}
ARG ENV=prod
RUN if [ "$ENV" = "dev" ]; then \
      install-dev-tools; \
    fi

Container Network Troubleshooting

When facing networking issues, use nsenter to inspect container networking from the host:

pid=$(docker inspect --format '{{.State.Pid}}' container_name)
nsenter -t $pid -n ip addr

Resource Limiting with Ulimits

Prevent resource exhaustion by setting appropriate ulimits:

docker run --ulimit nofile=50000:50000 --ulimit nproc=1024:2048 high-traffic-app

Network Performance Tuning

Optimize container networking performance with sysctls:

docker run --sysctl net.core.somaxconn=1024 --sysctl net.ipv4.tcp_max_syn_backlog=1024 web-cache