Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "how to achieve security and isolation in Docker containers". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Virtualization and isolation

Operating system-level virtualization, containers, space, and "chroot with steroids" all define the same concept: user space isolation. Products like Docker use operating system-level virtualization to provide additional security through user space isolation.

As of version 0. 9, Docker includes the libcontainer library as its direct virtualization method, which is provided by the Linux kernel. In addition, it uses abstract virtual interfaces through LXC [1], systemd-nspawn [2], and libvert [3].

All of these virtualization libraries take advantage of Linux's original containers (see figure above)

* namespaces

* cgroups

* capabilities and so on.

Docker combines the above functions in a single package and calls it the container format.

Libcontainer

The default container format is called libcontainer.

Docker also supports the use of [LXC] (https://linuxcontainers.org/ 's traditional Linux container. In the future, Docker may support other container formats, such as combining BSD jails or Solaris Zones.

The execution driver is an implementation of a special container format that runs the docker container. In the latest version, libcontainer has the following features:

* is the default execution driver for running the docker container.

* load at the same time as LXC.

* use libraries designed by the Go language without any other dependencies to access the API of the kernel container directly.

* the current Docker covers the following features: namespace usage, cgroups management, capabilities permission set, configuration of environment variables for running processes, and network interface firewall settings-all functions are fixed and predictable and do not rely on LXC or any other user area software packages.

* just provide a root file system and libcontainer's operational configuration of the container, and it will help you do the rest.

* New containers or add to existing containers are supported.

* in fact, the most urgent need for libcontainer is stability, and the development team sets it as the default.

* in Docker 0.9, LXC can now choose to close.

* Note: LXC will continue to be supported in the future.

* if you want to re-use the LXC driver, simply enter the command `docker-d-e lxc`, and then restart Docker.

User namespace

Docker is not virtualized; on the contrary, it is a kernel that supports namespace abstraction, providing a separate workspace (or container). When you run a container, Docker creates a new series of namespace for the container.

Some linux namespaces used by Docker:

* pid namespace

* used to distinguish between processes (PID: Process ID).

* the processes running in the container are just like running on a normal Linux system, although they share an underlying kernel with other processes.

* net namespace

* used as a management network interface.

* [DNAT] allows you to configure the network of each user in the host individually and has a convenient interface to transfer data between them.

* of course, you can also replace it with a physical interface by using a bridge.

* ipc namespace

* used to manage access to IPC (IPC: InterProcess Communication) resources.

* mnt namespace

* used as a management mount-points (MNT: Mount).

* uts namespace

* used to distinguish between kernel and version identifiers (UTS: Unix Timesharing System).

Cgroups

Docker on Linux uses a technology called cgroups. Because each virtual machine is a process, all normal Linux resource management applications can be applied to the virtual machine. In addition, there is only one level of resource allocation and scheduling, because a containerized Linux system has only one kernel and that kernel is fully visible to the container.

In summary, cgroups allows Docker to:

* implement group processes and manage their total resource consumption.

* share available hardware resources to the container.

* limit the memory and CPU usage of the container.

* you can resize the container by changing the corresponding cgroup.

* obtain the resource usage information in the container by checking the / sys/fs/cgroup control group in Linux.

* provides a reliable way to end all processes in the container.

Capabilities

Linux uses "POSIX capabilities". These permissions are a series of permissions split into all powerful root permissions. A list of all available permissions can be found on [Linux manpages]. Docker discards all permissions except required permissions and uses a whitelist instead of a blacklist.

A general server (bare metal or virtual machine) needs to run a series of processes with root privileges. These include:

* SSH

* cron

* syslogd

* hardware management tools (such as load modules)

* Network configuration tools (such as dealing with DHCP, WPA, or VPNs), etc.

Each container is different because almost all of these tasks are handled by the infrastructure around the container. By default, Docker enables a container with severely restricted permissions. In most cases, the container does not require real root permissions. For example, processes (such as network services) only need to bind a port less than 1024 and do not need root permission: they can be granted [CAP_NET_BIND_SERVICE] (http://man7.or instead. Therefore, the container can be run with reduced privileges: it means that the root permissions in the container have fewer privileges than the real root permissions.

Capabilities is just one of the many security features provided by the modern Linux kernel. To harden an Docker host, you can use an existing well-known system:

* TOMOYO

* [AppArmor]

* [SELinux]

* GRSEC, etc.

That's all for "how to achieve security and isolation in a Docker container". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.