Shulou(Shulou.com)06/03 Report--

What are the disadvantages of docker container technology? With the increasingly perfect ecological chain of docker container technology, enterprises gradually achieve containerized business deployment, containerization has become the future development trend. However, Docker containerization is not without shortcomings, there are still some areas that can be optimized.

1. Kernel loophole

Docker kernel attacks can be fatal for containerized environments, because containers and hosts share the same system kernel, so it is not enough to trust container built-in protection mechanisms alone.

The isolation of containers means that vulnerabilities in one application do not directly affect applications in other containers, but vulnerabilities may break a single operating system shared with other containers, which in turn affects other containers on the machine. If the vulnerability allows code execution, it will be executed on the host operating system, not within the container; if this vulnerability allows arbitrary memory access, the attacker can change or read any data from any other container.

two。 Data separation

On the docker container, there are some resources that are not namespaces:

SELinuxCgroupsfile systems under / sys,/proc/sys, / proc/sysrq-trigger, / proc/irq, / proc/bus/dev/mem, / dev/sd* file systemKernel Modules

If an attacker can take advantage of any of these elements, he will have access to the host system.

3. Resource cost

Docker because all containers on the host share the same kernel and the same resources, if there are no restrictions on access to certain resources (CPU, memory, disk, etc.), then the abnormal container will occupy the resources of the entire host, thus affecting the operation of other containers and applications.

4. Socket problem

Containers have docker Unix sockets (/ var/run/docker.sock) installed by default, which can be turned off, started, or created new images.

When your container starts and shares sockets, you give the container permission to control the host. It will be able to start or terminate other containers, drag or create images on the host, or even write to the host's file system. With proper configuration and protection, you can use the docker container to achieve a high level of security, but it is still less secure than the properly configured VM.

Although the Docker container is not perfect, it makes the deployment of the business to the cloud faster and the utilization of resources higher. And cloud service providers are also constantly improving the application of Docker container technology in the cloud service platform.

As a senior professional cloud computing service provider and cloud security service provider in the industry, it is committed to providing cloud servers for Internet enterprise users and enterprise users in traditional industries. Its products have the characteristics and advantages of "security and stability, easy to use, high service availability, high performance-to-price ratio" and are designed to be customized for enterprises to meet the needs of rich and diversified application scenarios.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.