May 22, 2021 Docker From entry to practice
The core of running a container or application is through the Docker service side. The docker service currently requires root permissions to run, so its security is critical.
First, make sure that only trusted users have access to the Docker service. D
ocker allows users to share folders between hosts and containers without restricting access to containers, which makes it easy for containers to break through resource limits. F
or example, if a malicious user starts a container and
/
to
/host
the container can theoretically make arbitrary modifications to the host's file system. D
oes that sound crazy?
But in fact, almost all virtualized systems allow similar resource sharing, and there is no way to prevent users from sharing host root file systems to virtual machine systems.
This will have serious security consequences. Therefore, when providing container creation services, such as through a web server, more attention should be paid to security checks of parameters to prevent malicious users from creating destructive containers with specific parameters
To enhance protection on the service side, Docker's REST API, which clients use to communicate with the service side, replaces TCP sockets that were previously bound to 127.0.0.1 with local Unix sockets after 0.5.2 because the latter is vulnerable to cross-site scripting attacks. Users now use Unix permission checks to enhance access security for sockets.
Users can still take advantage of HTTP to provide REST API access. I t is recommended that you use security mechanisms to ensure that only access can be made under trusted networks or VPNs, or certificate protection mechanisms such as protected stunnel and ssl authentication. In addition, HTTPS and certificates can be used to enhance protection.
The recently improved Linux namespace mechanism will enable full-featured containers to run with non-root users. This fundamentally addresses the security issues that come with sharing file systems between containers and hosts.
The ultimate goal is to improve 2 important security features:
Finally, it is recommended to use dedicated servers to run Docker and related management services (e.g. management services such as ssh monitoring and process monitoring, management tools nrpe, collectd, etc.). Other business services are put into containers to run.