Running docker securely

The main source of information regarding docker security practice is the page on "Docker security".

only trusted users should be allowed to control your Docker daemon.
This is a direct consequence of some powerful Docker features.

Specifically, Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container.

If you expose the REST API, you should do so over https.

Finally, if you run Docker on a server, it is recommended to run exclusively Docker in the server, and move all other services within containers controlled by Docker

Regarding the VM, see "Are Docker containers really secure?"

The biggest problem is everything in Linux is not namespaced. Currently, Docker uses five namespaces to alter processes view of the system: Process, Network, Mount, Hostname, Shared Memory.

While these give the user some level of security it is by no means comprehensive, like KVM (Kernel-based Virtual Machine).
In a KVM environment processes in a virtual machine do not talk to the host kernel directly. They do not have any access to kernel file systems like /sys and /sys/fs, /proc/*.

Here are a few best practices you can follow from the security point of view:

1. Prefer Minimal Base Image: The base image you select can also have vulnerabilities, you can look for security vulnerabilities before selecting the base image. Select the minimal base image as it may ensure that there are fewer vulnerabilities.
2. Least Privileged User: If no user is specified in the Dockerfile, by default the container is run using root privilege. To restrict access, create a dedicated user and user group in the docker image.
3. Sign and Verify the images: We run the docker images in our production environment, thus it is quite important to authenticate the docker image before using it. You should sign your docker image and before running you should also verify it.
4. Use Security Softwares and linters: Use security software to scan your docker images for any vulnerabilities, you can also use a linter which statically analyzes your Dockerfile and gives a warning when there is a security vulnerability.
5. Don’t leak sensitive information to Docker images: The secrets must be kept outside of the Dockerfile. If you copy the secret, then they get cached on the intermediate docker container, to avoid this problem, you can use multi-stage build or docker secret commands.

Credits: Thanks to Liran Tal and Omer Levi Hevroni for the blog. I learned these best practices from there, please visit it for more details and a few more best practices.