Shulou(Shulou.com)05/31 Report--

This article focuses on "what is the method of security control based on Docker private cloud". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what is the method of security control based on Docker private cloud"?

(1) Security and protection of IDC computer room

The IDC computer room firewall protects against all common attacks. When we deploy our container cloud products to our customers, we will submit a product network planning description. The network topology diagram of the product, the port number used, and so on, are detailed in the specification. We recommend that customers only open the port number mentioned in the specification. In our practice, for users who need external network access. We only need to open port 80.

Each physical machine that deploys the container cloud product turns on the firewall.

1. Control that credit machines can access each other.

two。 Disable the icmp protocol.

Use vpn to remotely access the container service platform springboard machine. The springboard machine logs in to the machine where the container service platform is located for daily operation and maintenance.

(2) Docker daemon security

The security of Docker daemon is more likely to appear in the protection of docker engine API. We do the following configuration in docker daemon

1. Configure tls mode to access docker daemon

2. Bind http remote api to IP address (only users schedule system access via private network)

3. Run docker daemon with a non-root user. For example: create docker:docker users and user groups.

(3) Image security

Our private container cloud service image comes from two places: the image built by the customer and our public cloud image center.

1. The image built by the customer

There are two ways to build an image built by customers. One is to build the image through the template customized by our container cloud platform. In this way, the basic image is provided by the platform, and the security is most guaranteed. Another kind of image is written by the user and built by Dockerfile. This kind of image is used to ensure the security of the container through two means: manual audit and online security scanning. We will inform users from time to time to update our image security scanning feature library to ensure the security of the image.

two。 Our shared Cloud Mirror Center

Currently, the images in the public cloud image center are all produced by our R & D team and security control team, and there are almost no security problems. The public cloud image center mainly provides tool-related images, such as cache, redis, mongodb, micro-service architecture, and so on.

(4) Safety of containers

We mainly control the safety of containers from the following parts.

1. network security

Container network isolation between different users. By default, containers and containers of different users cannot access each other; all containers of the same user can access each other.

The container is isolated from the host network. By default, the container cannot host any host in the private network environment.

two。 Data security

The host is hung in the directory. Through the unified operation and maintenance management platform, users can only hang the fixed directory in the container.

File sharing between different containers. Through the unified operation and maintenance management platform, users can share their data with specified containers (or other users).

Distributed file system. Users apply for data files through the unified operation and maintenance management platform. Access to distributed file storage provided by the platform through apikey/secrekey.

3. Process security

The default isolation policy of docker is adopted.

At this point, I believe you have a deeper understanding of "what is the method of security control based on Docker private cloud". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.