Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to create a container from a mirror image by docker". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how docker creates containers from images".

Image image file, compared with the concept of the PC side, we can understand it as the server-side executable software package. Dockerfile is used to create template files for image images. For management and security reasons, docker officially recommends that all image files should be created by dockerfile.

The life cycle of a docker container is the process of generating, running, and stopping an image file. The docker lifecycle can be divided into two phases, the non-production stage and the production stage, to ensure the security and credibility of the image in the non-production environment and the correct operation of the image in the production environment. Ensuring the security of images in a non-production environment should follow the following aspects:

The container is run with a non-root user

To prevent the container from escaping and gain the permission of the host, the application in the container runs as a non-root user. If the user is already defined in the container image, the container will run as that user by default, and no specific user namespace remapping is required. You can add users to Dockerfile:

RUN useradd-d / home / username-m-s / bin / bash username USER username

Use secure basic mirroring

If there is a security problem with the basic image, the security of the entire image file is out of the question. Users can customize the basic image according to their own needs and force the use of an approved basic image within the organization. You can also use a third-party secure image. It is recommended to use it as the base image for all official images of Alpine-linux,docker, and docker will maintain and update it, so security is guaranteed.

Delete setuid and setgid permissions in the mirror

Setuid and setgid permissions can be used to elevate rights. Although it is sometimes necessary, it can lead to illegal escalation if it is abused. You can restrict the use of these permissions in the mirror. For more information, please refer to: when building an image, delete these permissions by adding the following command in Dockerfile, usually at the end of Dockerfile: RUN find /-perm + 6000-type f-exec chmod amurs {}\; | | true

Enable content trust for Docker

Content trust allows client-side signing and verification of mirror tags to be performed when a user operates using a remote Docker repository. Content trust provides the ability to use digital signatures for data sent and received from Docker repositories. These signatures allow the client to verify the integrity of a specific mirror label.

Scan the image for security vulnerabilities

The image contains many plug-ins and software packages, which need to be scanned for vulnerabilities and install patches or updates according to the results. Coreos provides an open source docker image security scanner-Clair,Clair, which can statically scan the image files and give the vulnerability scan results combined with CVE.

At this point, I believe you have a deeper understanding of "how docker creates containers from images". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.