✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.2.4.5 Runtime Hardening Profile

A focused guide to Runtime Hardening Profile, connecting core concepts with practical Docker and container operations.

A runtime hardening profile is the complete, combined set of runtime restrictions — non-root user, dropped capabilities, no-new-privileges, read-only filesystem, and an appropriate security profile — applied together as a single, deliberate configuration template intended to be consistently reused across an organization's containers.

Defining a Reusable Hardening Template

Rather than assembling these restrictions individually for each application, defining a standard, reusable template establishes a consistent security baseline.

services:
  api:
    user: "1000:1000"
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    security_opt:
      - no-new-privileges
      - seccomp=default.json
    read_only: true
    tmpfs:
      - /tmp

This combined configuration reflects a deliberate, comprehensive hardening profile, rather than relying on any single restriction in isolation.

Adapting the Template for Application-Specific Needs

While the overall template remains consistent, specific elements — which capability is added back, which paths need to remain writable — are adapted to each individual application's actual requirements.

services:
  worker:
    user: "1000:1000"
    cap_drop:
      - ALL
    read_only: true
    tmpfs:
      - /tmp
    volumes:
      - worker-queue-data:/app/queue

This worker service's hardening profile omits the NET_BIND_SERVICE capability (since it doesn't bind to any port) while adding a specific writable volume its particular function requires.

Why a Standard Template Improves Consistency

Defining this kind of template once, then applying it consistently, avoids the risk of individual applications receiving inconsistent or incomplete hardening due to each being configured separately, without a shared, deliberate baseline.

docker compose config
Validating the Hardening Profile Doesn't Break Functionality

Testing each application thoroughly under its applied hardening profile confirms the restrictions don't inadvertently break legitimate functionality.

docker compose run --rm api npm test
Why a Runtime Hardening Profile Matters

Establishing and consistently applying a comprehensive, combined runtime hardening profile, rather than relying on individually remembered, piecemeal restrictions, provides a far more reliable and maintainable approach to container runtime security across an organization's full range of applications.

Related content