Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to use Docker Daemon parameters", the content of the explanation is simple and clear, easy to learn and understand, now please follow the editor's ideas slowly in depth, together to study and learn how to use Docker Daemon parameters!

Docker Daemon is the daemon of Docker, which can be roughly divided into three parts: Docker Server, Engine and Job. Docker Daemon can be thought of as accepting the request from Docker Client through the Docker Server module, processing the request in Engine, and then creating the specified Job and running it according to the request type.

The following is a schematic diagram of Docker Daemon's architecture:

Docker Daemon parameter

From the figure above, it is not difficult to see the core status of Docker Daemon, so its configuration is also particularly important. Below, we will start with security and performance. Here is how to configure Docker Daemon parameters:

Restrict network communication between containers: if communication between containers is not restricted on the same host, some private information will be exposed between containers, so it is recommended to turn it off. Set parameters such as docker daemon--icc=false.

Set the log level to info: this captures all the information except debug information. Set parameters such as: docker daemon-- log-level= "info"

Allow Docker Daemon to modify iptables: this automatically avoids container and external access problems caused by incorrect network configuration, setting parameters such as: docker daemon--iptables=true

Use secure mode to access the image repository: Docker Daemon supports secure mode (default) and non-secure mode (--insecure-registry) to access the image repository. It is recommended that the image repository be configured with CA certificate, Docker Daemon with secure access mode, and TLS secure transport protocol.

It is recommended to use Overlayfs as the Docker storage driver: Docker supports many storage drivers, and the default Docker storage driver for CentOS is devicemapper,Ubuntu, and the default Docker storage driver is aufs. How to choose the Docker storage driver, please refer to the comparative analysis of the figure below:

It is recommended to configure TLS authentication for Docker Daemon: it is recommended to specify the listening IP, port and unix socket of Docker Daemon, and configure TLS authentication to access through the IP+ port of Docker Daemon. Set parameters such as'--tlsverify','--tlscacert','--tlscert','--tlskey'

It is recommended to enable user space support for Docker Daemon: Docker Daemon supports user namespace with Linux kernel, providing additional security for Docker host. If the container uses a user with root permission, this user also has the root permission of the host, and the outside can control the host through the container reverse direction. Set parameters such as: docker daemon-userns-remap=default

It is recommended to configure the default CGroup for Docker Daemon: a program may occupy all the resources on the host, causing other programs to fail to run properly, or causing the system to die unmaintainable. At this time, you can use cgroups to control the resource consumption of the process. Set parameters such as: docker daemon--cgroup-parent=/foobar

Remote log collection system in the Docker configuration set is recommended: Docker supports many log drivers. It is necessary to configure the remote log system in the configuration set to store Docker logs. Set parameters such as: docker run--log-driver=syslog-- log-opt syslog-address=tcp://ip

It is recommended to use Docker Registry v2 version: v2 version is much more powerful than v1 in terms of performance and security, such as image signature on security. You can set parameters such as: docker daemon--disable-legacy-registry

Docker Daemon permission

The attributes and permissions of Docker Daemon-related files and directories are related to the security of the entire Docker runtime. From the point of view of operation and maintenance, it is particularly important to reasonably plan the attributes and their permissions. Here is how to configure Docker Daemon permissions.

1. Set the properties and permissions of some Docker Daemon-related configuration files

2. Set the properties and permissions of some related directories in Docker Daemon

The / etc/docker directory stores container authentication and key information. The property of the directory is set to root:root, and the permission is 755.

The / etc/docker/certs.d/ directory holds the files related to the registry certificate, and the property of the directory is set to root:root, and the permission is 444.

Thank you for your reading, the above is the content of "how to use Docker Daemon parameters", after the study of this article, I believe you have a deeper understanding of how to use Docker Daemon parameters, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.