Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "introduction to the background and architecture of Rootless containers". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Rootless Container background and Architecture

Docker and Kubernetes have become the infrastructure of enterprise IT architecture, and their own security has been paid more and more attention. Docker provides application virtualization capability based on Linux operating system, and realizes resource isolation and quota constraints through namespace and cgroup. Docker Engine is a typical Client-Server structure:

Docker Client (TCP/Unix Socket)-> Docker Daemon (Parent/Child Processes)-> Container

Because Linux requires privileged users to create namespace, mount hierarchical file systems, and so on, Docker Daemon has always been run as a root user. This also results in that users with Docker access can obtain root rights by connecting to Docker Engine, and can bypass the audit ability of the system to attack the system. This hinders the application of containers in some scenarios: for example, in the field of high-performance computing, because the traditional resource management and scheduling system requires unprivileged users to run the container, the community implements another container runtime Singularity.

Akihiro Suda of the Moby community contributes rootless container support to Docker Engine and Buildkit, allowing Docker Engine to run as unprivileged users and better reuse Linux's security architecture.

Note:

Currently, rootless container is still in the experimental stage, and cgroups resource control, apparmor security configuration, checkpoint/restore and other capabilities are not supported.

Currently, only Ubuntu provides support for overlay fs in rootless mode, which is not supported by upstream due to security concerns. Other operating systems need to use VFS storage driver, which has a certain performance impact, and is not suitable for Icano-intensive applications.

Rootless container has several core technologies

The first is to use user namespaces to map the root user uid/gid in the container to the unprivileged user scope of the host. Docker Engine has already provided-the userns-remap flag supports the relevant capabilities and improves the security isolation of the container. The Rootless container is on top of this, allowing Docker daemon to also run in the remapped username space.

Second, although unprivileged users in Linux can create a network name space in the username space and perform operations such as iptables rule management and tcpdump, non-privileged users cannot create a veth pairs between the host and the container, which means that the container does not have the ability to access the public network. In order to solve this problem, Akihiro uses the user-mode network "SLiRP" to connect to the unprivileged user name space through a TAP device to provide the container with the ability to connect to the external network. Its structure is as follows

For details, please refer to the slirp4netns project.

Environmental preparation

The verification of this paper on a virtual machine of CentOS 7.6

Create a user

$useradd moby$ passwd moby

Add a new user to the sudoers group

Usermod-aG wheel moby

Switch to an unprivileged user

$su-moby$ iduid=1000 (moby) gid=1000 (moby) groups=1000 (moby), 10 (wheel)

Configure uid/gid mapping

Echo "moby:100000:65536" | sudo tee / etc/subuidecho "moby:100000:65536" | sudo tee / etc/subgid

Install Rootless Docker

Curl-sSL https://get.docker.com/rootless | sh

If you install it for the first time, you need to install the required software packages

$curl-sSL https://get.docker.com/rootless | sh# Missing system requirements. Please run following commands to# install the requirements and run this installer again.# Alternatively iptables checks can be disabled with SKIP_IPTABLES=1cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.