Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to enable SELinux in Docker". In daily operation, I believe many people have doubts about how to enable SELinux in Docker. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to enable SELinux in Docker"! Next, please follow the editor to study!

1. Docker run grammar

Syntax:

Docker run [OPTIONS] IMAGE [COMMAND] [ARG...] II. Docker operation security related parameters 2.1 enable AppArmor

The main function of AppArmor is to set the access control rights of an executable program, which can restrict the program to read / write a directory / file, open / read / write network port, and so on.

The configuration file for Apparmor is saved in the / etc/apparmor.d/containers/ directory

The configuration file uses the Nginx configuration instance under the official documentation

Load a new configuration file

$sudo apparmor_parser-r-W / etc/apparmor.d/containers/docker-nginx

Upload a new configuration file

$apparmor_parser-R / path/to/profile

Using AppArmor in Docker

$docker run-- security-opt "apparmor=docker-nginx"-- p 80:80-d-- name apparmor-nginx nginx2.2 enable SELinux

Configuration step

If you enable the SELinux,Docker daemon on the host machine and enable SELinux, the default startup container will enable SELinux.

[root@localhost selinux] # sestatusSELinux status: enabledSELinuxfs mount: / sys/fs/selinuxSELinux root directory: / etc/selinuxLoaded policy name: targetedCurrent mode: enforcingMode from config file: enforcingPolicy MLS status: enabledPolicy deny_unknown status: 31 [root@localhost selinux] # docker info...init version: fec3683Security Options:seccompWARNING: You're not using the default seccomp profileProfile: / etc/docker/seccomp/default-no-chmod.jsonselinuxusernsKernel Version: 3.10.0-1062.12.1.el7.x86room64.

Test, mount the host / directory to the container's / hacking directory

[root@localhost selinux] # docker run-it-- rm-v /: / hacking centos:latest / bin/shsha256:fe8d824220415eed5477b63addf40fb06c3b049404242b31982106ac204f6700Status: Downloaded newer image for centos:latestsh-4.4# cd / sh-4.4# lsbin dev etc hacking home lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr varsh-4.4# cd hacking/sh-4.4# lsbin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr varsh-4.4# cd var/logsh-4.4# lsls: cannot open directory'.: Permission denied

The running parameters can select the level of SELinux, the label contains four parts of User:Role:Type:level, and you can set different tags of SELinux to set the running level.

Docker run-security-opt label=type:spc_t replicateddocker run-interactive-tty-security-opt label=level:TopSecret centos / bin/basdocker run-it-security-opt label:disable alpine sh

Label

[root@localhost ~] # ls / etc/selinux/targeted/contexts/files/file_contexts file_contexts.homedirs file_contexts.subs mediafile_contexts.bin file_contexts.homedirs.bin file_contexts.subs_ dist[ root @ localhost ~] # cat / etc/selinux/targeted/contexts/files/file_contexts2.3 restricts kernel functionality of the running container

The Linux kernel can break down the privileges of root users into different units called functions. For example, the CAP_CHOWN feature allows root users to make arbitrary changes to the files UID and GID. The CAP_DAC_OVERRIDE feature allows root users to bypass kernel permission checks for reading, writing, and performing operations on files. Almost all special features related to Linux root users are broken down into separate functions.

Finer-grained functional limitations can be:

Remove a single feature from the root user account, making it less functional / dangerous.

Add privileges to non-root users at a very fine level.

The function applies to files and threads. The file feature allows users to execute programs with higher privileges. This is similar to how the setuid bit works. The threading function tracks the current status of functions in a running program.

By default, Docker uses the whitelist method to remove all features except those required.

Start command

Docker run-rm-it-- cap-drop $CAP alpine shdocker run-- rm-it-- cap-add $CAP alpine shdocker run-- rm-it-- cap-drop ALL-- cap-add $CAP alpine sh

CAP contains http://man7.org/linux/man-pages/man7/capabilities.7.html, and among the Capabilities with nearly 40 items of Linux, Docker only supports 14 basic items of Capabilities:CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_MKNOD, FOWNER, NET_RAW, SETGID, SETUID, SETFCAP, SETPCAP, NET_BIND_SERVICE, SYS_CHROOT, KILL and AUDIT_WRITE to ensure the security of the container.

Test command

$docker container run-- rm-it alpine chown nobody / $docker container run-- rm-it-- cap-drop ALL-- cap-add CHOWN alpine chown nobody / $docker container run-- rm-it-- cap-drop CHOWN alpine chown nobody / $docker container run-- rm-it-- cap-add chown-u nobody alpine chown nobody / 2.4 run the container without privileged mode

The privileged mode parameter, privileged, allows users in the privileged container to access the host resources directly when running the privileged container, so an attacker can gain access to the host resources by abusing the privileged container. After the privileged container is created, due to many enhanced privileges, an attacker may run code with root privileges. This indicates that an attacker can run the host, including CAP_SYS_ADMIN, with root privileges.

After gaining access to the exposed privileged container, an attacker can launch a number of further attacks. Attackers can identify the software running on the host and identify and exploit related vulnerabilities. You can also exploit container software vulnerabilities or misconfigurations, such as using weak credentials or unauthenticated containers. Because the attacker has root access, malicious code or a miner can be executed and effectively hidden.

test

Create a container:

Docker run-d-name centos7-- privileged=true centos:7 / usr/sbin/init

Enter the container:

Docker exec-it centos7 / bin/bash2.5 restricts the container to get new privileges, using-- security-opt=no-new-privileges

The meaning is as follows:

The process can set the no_new_privs bit in the kernel, which persists between fork,clone and exec.

The no_new_privs bit ensures that the process or its child processes do not receive any other privileges.

After the no_new_privs bit is set, the process cannot unset it.

Even if a process executes using a setuid binary or executable with the file function bit set, processes with no_new_privs are not allowed to change uid / gid or get any other functionality.

No_new_privs also prevents Linux security modules (LSM) such as SELinux from transitioning to process tags that do not allow access to the current process. This means that SELinux processes are only allowed to convert to process types with fewer privileges.

Testnnp.c, printing uid information

# include # include # include int main (int argc, char * argv []) {printf ("Effective uid:% d\ n", geteuid ()); return 0;}

Compile

[root@localhost] # make testnnpcc testnnp.c-o testnnp

Make a mirror image, dockerfile

FROM fedora:latestADD testnnp / root/testnnpRUN chmod + s / root/testnnpENTRYPOINT / root/testnn

Make a test image

[root@localhost] # docker build-t testnnp.

test

# docker run-it-rm-user=1000 testnnp

Use no-new-privileges

# docker run-it-- rm-- user=1000-- security-opt=no-new-privileges testnnp2.6 uses cgroup to ensure that the container runs in the defined cgroup

Without the-- cgroup-parent option, the control group CGroups is another important feature of the Linux kernel, which is mainly used to limit and audit resources.

The control group (cgroup) is a feature of the Linux kernel that allows you to restrict access to system resources such as CPU,RAM,IOPS and network for access processes and containers.

$docker run-d-name='low_prio'-cpuset-cpus=0-cpu-shares=20 busybox md5sum / dev/urandom2.7 enable seccomp

When talking about docker daemon security earlier, I said that seccomp is a group kernel security policy. Different policies have different names, and you can specify the security policy to use when the docker is running, instead of using the default policy set by the docker daemon. Seccomp=unconfined indicates that seccomp is not enabled, and the following is a deprecated startup command.

$docker container run-rm-it-security-opt seccomp=unconfined debian:jessie sh

Specify sccomp

$docker run-- rm-it-- security-opt seccomp=default-no-chmod.json alpine sh2.8 running container does not mount the system partition of the host

These include:

/

/ boot

/ dev

/ etc

/ lib

/ proc

/ sys

/ usr

2.9Container root directory is mounted read-only-read-only

Using-- read-only restricts the following directory of the running container to read-only

[root@localhost ~] # docker run-it-- read-only 72300a873c2c / bin/bashroot@f077b480dbe5:/# ls bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var root@f077b480dbe5:/# touch 111touch: cannot touch '111: Read-only file system

If the directory that needs to be mounted has read and write permissions, you can use more detailed permission control, such as mounting specific directories with read and write permissions.

Docker run-- interactive-- tty-- read-only-v / opt/app/data:/run/app/data:rw centos / bin/bash2.10 does not mount the host's docker.sock to any container

After installing Docker, the Docker daemon listens on the Unix domain socket: / var/run/docker.sock.

The following command is used to run the container and bind the docker.sock in interactive mode (interactive mode, which goes directly into the container).

# docker run-v / var/run/docker.sock:/var/run/docker.sock-ti alpine sh

After binding the Docker socket, the container has high permissions to control the Docker daemon.

2.11 do not use shared mount propagation mode

Do not use-- configuration of volume=/hostPath:/containerPath:shared

# docker run-- volume=/hostPath:/containerPath:shared 2.12 do not mount the host device directly, set it to read-only if necessary

Avoid direct modification of device information by users in the container.

Docker run-- interactive-- tty-- device=/dev/tty0:/dev/tty0:rw-- device=/dev/temp_sda:/dev/temp_sda:r centos bash2.13 on-failure container restart policy is set to 5

By using the-- restart flag in the docker run command, you can specify a restart policy to specify how the container should restart if startup fails. You should choose the onfailure restart policy and limit the restart attempts to 5 times.

If you try to start the container indefinitely, it may cause a denial of service on the host, especially if there are multiple containers on the same host. In addition, ignoring the exit status of the container and always trying to restart the container makes it impossible to investigate the root cause of the container termination. If a container is terminated, you should investigate the reason behind it, not just try to restart it indefinitely. You should use the restart on failure policy to limit the number of container restarts to a maximum of 5 attempts.

Docker run-- detach-- restart=on-failure:5 nginx2.14 does not use cyberspace sharing

-- net=hostHost mode does not create an isolated network environment for the container. The Docker container in this mode shares the same network namespace with the host host, so the container can use the eth0 of the host to communicate with the outside world, just like the host.

Containers in this mode do not have isolated network namespace

The container's IP address is the same as the IP address of the Docker host

Note that the port number of the service in the container cannot conflict with the port number already used on the Docker host

Host mode can coexist with other modes

2.15 Host process namespace is not shared, disable-- pid=host

By default, all containers have the PID namespace enabled. The PID namespace provides the separation of processes. The PID namespace removes the system process view, allowing process ID to be reused, including pid 1.

In some cases, the container is required to share the host process namespace, basically allowing processes in the container to view all the processes of the host. For example, you build a container with debugging tools that you want to use to debug host processes in the container.

If you use the-- pid=host parameter, the container can directly manipulate the data on the host. If the dockerd daemon sets the user namespace mapping, using this parameter when running the container will cause startup failure.

Docker run-- interactive-- tty-- pid=host centos / bin/bash2.16 host IPC namespace is not shared, disable-- ipc=host

Processes share memory with a single "administrative process" process in order to exchange data (by using shared buffers). This solution is implemented for performance requirements.

-- ipc=MODE: sets the IPC mode of the container. Shareable has its own private IPC namespace, which can be shared with other containers. Host: use the IPC namespace of the host system.

The use of host mode is prohibited. The following is an example of an error:

Docker run-interactive-tty-ipc=host centos / bin/bash

You can use shared IPC with other containers

Docker run-- ipc=container: docker run-d-- ipc=shareable data-serverdocker run-d-- ipc=container:data-server data-client2.17 does not share the host UTS namespace, disable-- uts=host

The UTS namespace is used to set the hostname and the domain that is visible to running processes in that namespace. By default, all containers, including those running with-- network=host, have their own UTS namespace. Setting UTS to host causes the container to use the same UTS namespace as the host. Note-hostname is not valid in host UTS mode.

When you want to change the hostname on the host, also change the same hostname to the container.

2.18 do not share host user namespace, disable-- users=host

By default, the Docker daemon runs as root. This allows the daemon to create and use the kernel structure required to boot the container. However, it also has potential security risks.

The default container runs under the root account

# docker run-- rm alpine id# docker run-- rm-- user 1000 rm 1000 alpine id# docker run-- rm-- privileged-- userns=host alpine id2.19 limits container runtime memory and CPU usage

Parameters commonly used to limit CPU and memory

The-c-- cpu-shares parameter can only limit the proportion of containers that use CPU

-- cpus is followed by a floating point number, which represents the number of cores most used by the container, which can be accurate to two decimal places, that is, the container can use a minimum of 0.01core CPU.

-m-- memory: the maximum memory size that can be used by the container, and the minimum value is 4m

-- memory-swap: the size of the swap that the container can use

2.20 the Docker run overrides the default ulimit if necessary

The docker daemon can configure default limits and, if necessary, use the docker run command to override the default

# docker run-- ulimit nofile=1024:1024-- interactive-- tty centos / bin/bash2.21 use-- pids-limit limits the number of processes generated within a specified time

Use the PID cgroup parameter, pids-limit, to prevent attacks from logical * * classes by limiting the number of processes that may be created inside the container within a specified time range.

# docker run-it-- pids-limit 1002.22 Runtime checks the running status of the container, using the-- health-cmd parameter

Used to check the running status of the container

# docker run-d-name db-health-cmd "curl-- fail http://localhost:8091/pools | | exit 1"-- health-interval=5s-- timeout=3s arungupta/couchbase2.23 traffic into the container is bound to a specific host port

Specify a map to a specific network port on the host:

Docker run-- detach-- publish 10.2.3.4 publish 49153publish 80 nginx2.24 does not use docker default bridging network docker0

Docker connects the virtual interface created in bridging mode to a generic bridge called docker0. This default network model is vulnerable to ARP spoofing and MAC flooding attacks because it is not filtered.

The actual network is usually configured as the network of the orchestration system.

2.25 use ports greater than 1024, and the container maps only the ports that must be used

Ports less than 1024 are usually used for system services. Using ports less than 1024 may conflict with host services, with the exception of 80,443.Container service external mapping ports should only map those ports that must be open.

2.26 ensure that the Docker command always uses the latest version of its image

Use the latest version of the image to avoid introducing vulnerabilities.

2.27 use minimized containers to ensure that they do not contain redundant components or services

Such as SSH, Telnet, or other unwanted components or services.

2.28 the docker exec command does not use the-- privileged option

Use the-- privileged option in the docker exec command to provide extended Linux functionality for the command.

2.29 the docker exec command does not use the-- user=root option

Using the-- user=root option in the docker exec command executes the command within the container as root. For example, if the container runs as tomcat (or any other non-root user), you can use the-- user=root option to run commands as root through docker exec.

3. Other parameter description [OPTIONS] Parameter description:-- add-host list adds custom host to ip mapping (writing format: host: ip)-a,-- attach list is appended to STDIN, STDOUT or STDERR-- blkio-weight uint16Block IO (relative weight), with a value between 10 and 1000 0 is disabled (default 0)-blkio-weight-device listBlock IO weight (weight relative to device) (default is array form)-cap-add list adds Linux function-cap-drop list deletes Linux function-optional parent control item of cgroup-parent string container-cidfile string writes container ID to file-cpu-period int limits CPU CFS (full fair scheduler) cycles-cpu-quota int limit Make CPU CFS (fully fair scheduler) upper limit-cpu-rt-period int limits CPU runtime cycles (in microseconds)-cpu-rt-runtime int limits CPU real-time runtime (in microseconds)-c -- cpu-shares intCPU sharing (setting of relative weights)-- cpus decimal sets the number of cpu-- cpu allowed by cpuset-cpus string (0-3 cpu 1)-- MEMs allowed by cpuset-mems string (0-3 cpu 1)-d -- detach runs the container in the background and prints the container ID--detach-keys string overrides the key sequence of the detached container-- device list adds host devices to the container-- device-cgroup-rule list adds one or more rules to the list of devices allowed by cgroup-- device-read-bps list limits the read rate of devices (in byte/s) (default is [])-- device-read-iops list limits the read of devices. Fetch rate (unit: IO/s) (default is [])-- device-write-bps list limits the write rate of the device (unit: byte/s) (default is [])-- device-write-iops list limits the write rate of the device (unit: IO/s) (default is [])-- disable-content-trust skips mirror authentication (default is true)-- dns list sets custom DNS server-dns -option list set DNS option-- dns-search list sets custom DNS search domain-- default entry point of entrypoint string overlay image-e -- env list sets environment variable-- env-file list reads contents of environment variable-- expose list exposes one or more ports-- group-add list adds other groups to join-- health-cmd string command runs to check health-- time between health-interval duration running check (ms--health-retries int consecutive failures need to report unhealthy-- health-start-period duration starts health retry The startup period initialized by the container before timing (the format of the maximum time value for ms--health-timeout duration health check operation is: (ms--help prints out usage-h -- hostname string defines the container hostname-- init runs initialization in the container To forward the signal and get the process-I,-interactive keeps STDIN open even if it is not connected-ip string sets the IPv4 address of the container (for example, 192.168.155.139)-ip6 string sets the IPv6 address (for example, 2001:db8::33)-- ipc string uses IPC mode-- isolation string container isolation technology-- kernel-memory bytes kernel memory limit-l -- label list sets metadata on the container-- label-file list reads in a line-delimited label file-- link list adds a link to another container-- link-local-ip list container IPv4/IPv6 link local address-- log-driver string setting container log driver-- log-opt list sets log driver options-- mac-address string configuration container MAC address (for example, 92:d0:c6:0a:29:33)-m,-- memory bytes sets memory limit-- memory-reservation bytes memory soft limit-- memory-swap bytes swap limit equals memory plus swap:'- 1' To enable unlimited swapping-- memory-swappiness int optimizes container memory swapping (0 to 100) (default-1)-- mount mount attaches file system mounts to the container-- name string specifies a name for the container-- network string connects the container to the network-- network-alias list adds aliases for the container-connected network-- no-healthcheck forbids any container from specifying HEALTHCHECK--oom-kill-disable forbids OOM things Piece was killed-- OOM event of oom-score-adj int tuning host Parameter range (- 1000 to 1000)-- pid string sets PID naming-- pids-limit int optimizes container pid limits (unlimited if set-1)-- privileged gives container extension permissions-p,-- publish list publishes container ports to host-P -- publish-all publishes all exposed ports to random ports-- read-only mounts the root file system of the container as read-only (more on that later)-- restart string configures the restart policy of the container Restart when the container exits (default is "no")-- rm automatically removes the container when the container exits-- runtime string uses the container's runtime-- security-opt list specifies the security item initiated by docker-- the size of the shm-size bytes/dev/shm (which allows its capacity to be dynamically expanded)-- sig-proxy setting agent receives the capital signal (default is true)-- stop-signal string Stop container signal (default is "SIGTERM")-stop-timeout int setting timeout stop container (in seconds)-storage-opt list sets storage driver options for container-sysctl map specifies system control (default is map [] format)-tmpfs list mount tmpfs directory-t -- tty assigns a client to the current container-- items to be restricted for ulimit ulimit startup (default is in the form of an array)-u,-- user string user name or UID (format:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.