Docker makes deployment easy, but a careless setup can expose your host. Here are the key steps to run containers securely in production.
1. Don't expose the Docker API
Never bind the Docker daemon to a public TCP port without TLS — it's effectively root access to your host. Use the local socket, and access remote hosts over SSH.
2. Don't publish ports you don't need
A container's ports are only reachable if you -p publish them. Keep databases and internal services on the Docker network, and only publish your web port. Remember: published container ports can bypass UFW, so bind sensitive ports to 127.0.0.1.
3. Run as a non-root user
Use the USER directive in your Dockerfile so the process inside the container isn't root.
4. Use trusted, pinned images
image: postgres:16.4 # pin versions, avoid ':latest' in prod
Pull from official or verified sources and scan images for vulnerabilities.
5. Keep Docker and images updated
Rebuild regularly to pick up base-image security fixes. Combine these habits with the standard VPS hardening steps and your containerised stack will be solid.