Shulou(Shulou.com)06/01 Report--

How to configure daemon security in Docker? In view of this problem, this article introduces the corresponding analysis and answers in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

I. Test environment

1.1 install CentOS 7

CentOS Linux release 7.7.1908 (Core)

Upgrade the kernel and restart

# yum update kernel

[root@localhost docker] # uname-a

Linux localhost 3.10.0-1062.12.1.el7.x86_64 # 1 SMP Tue Feb 4 23:02:59 UTC 2020 x86 "64 GNU/Linux

[root@localhost docker] # cat / etc/redhat-release

CentOS Linux release 7.7.1908 (Core)

1.2 install docker ce 19.03

# yum install-y yum-utils device-mapper-persistent-data lvm2# yum-config-manager-- add-repo https://download.docker.com/linux/centos/docker-ce.repo# yum install-y docker-ce [root@localhost docker] # docker--versionDocker version 19.03.8, build afacb8b II. Daemon security configuration

There is no configuration file by default, and / etc/docker/daemon.json needs to be created separately. The following configurations are all configured on this file, a local test example.

{"icc": false, "log-level": "info", "log-driver": "json-file", "log-opts": {"max-size": "10m", "max-file": "5", "labels": "somelabel", "env": "os,customer"}, "iptables": true, "userns-remap": "default", "userland-proxy": false, "experimental": false "selinux-enabled": true, live-restore: true, "no-new-privileges": true, "cgroup-parent": "/ foobar", "seccomp-profile": "/ etc/docker/seccomp/default-no-chmod.json", "tls": true, "tlsverify": true, "tlscacert": "/ etc/docker/CA/ca.pem", "tlscert": "/ etc/docker/CA/server-cert.pem" "tlskey": "/ etc/docker/CA/server-key.pem"} 2.1 configure access to the Docker daemon through HTTPS and certificate authentication

Server certificate

Create a HOST, define the domain (IP can also be used), and generate the corresponding certificate based on the domain, which is generally used to register the CN in the certificate:

Create a certificate directory:

$mkdir-p / etc/docker/dockerd/CA & & cd / etc/docker/dockerd/CA

Generate the key certificate and fill in the key certificate password twice:

$openssl genrsa-aes256-out ca-key.pem 4096

To generate a ca certificate, you need to enter the basic information of the enrollment certificate:

$openssl req-new-x509-days 365-key ca-key.pem-sha256-out ca.pem

Create a server certificate:

$openssl genrsa-out server-key.pem 4096$ openssl req-subj "/ CN=localhsot"-sha256-new-key server-key.pem-out server.csr

Set the IP address specified by the certificate:

$echo subjectAltName = DNS:localhost,IP:127.0.0.1 > > extfile.cnf

Set the extended usage property of the Docker daemon key to server authentication only:

$echo extendedKeyUsage = serverAuth > > extfile.cnf

Generate a server cert certificate:

$openssl x509-req-days 3650-sha256-in server.csr-CA ca.pem-CAkey ca-key.pem-CAcreateserial-out server-cert.pem-extfile extfile.cnf

Client certificate

Create client certificate: (or current directory)

$openssl genrsa-out key.pem 4096$ openssl req-subj'/ CN=localhost'-new-key key.pem-out client.csr

To make the key suitable for client authentication, create an extension profile:

$echo extendedKeyUsage = clientAuth > > extfile.cnf

Generate a client cert certificate:

$openssl x509-req-days 3650-sha256-in client.csr-CA ca.pem-CAkey ca-key.pem-CAcreateserial-out cert.pem-extfile extfile.cnf

Use

Assign appropriate permissions to the certificate:

$chmod-v 0400 ca-key.pem key.pem server-key.pem$ chmod-v 0444 ca.pem server-cert.pem cert.pem [root@localhost CA] # lsca-key.pem ca.pem ca.srl cert.pem client.csr extfile.cnf key.pem server-cert.pem server.csr server-key.pem

Server configuration / etc/docker/daemon.json

"tls": true, tlsverify: true, "tlscacert": "/ etc/docker/CA/ca.pem", "tlscert": "/ etc/docker/CA/server-cert.pem", "tlskey": "/ etc/docker/CA/server-key.pem"

Client configuration

Set the client certificate to the local server and place it in the appropriate location:

$cp-v {ca,cert,key} .pem ~ / .docker$ export DOCKER_HOST=tcp://$HOST:2376 DOCKER_TLS_VERIFY=1

Simulate the test in the following ways:

$curl https://$HOST:2376/images/json\-- cert ~ / .docker/cert.pem\-- key ~ / .docker/key.pem\-- cacert ~ / .docker/ca.pem [{"Containers":-1, "Created": 1540777343, "Id": "sha256:55e7b305dc477345434ce3bd3941940481f982eea31c8f28c0670d59c63d544b", "Labels": nu2.2 uses namespace isolation technology

Namespace is an isolation technology, docker is to use isolation technology to open a specific namespace to create some special processes, but the use of namespace is conditional. The system will create a dockremap and map it to the container through the id values corresponding to / etc/subuid and / etc/subuid. In fact, ordinary permissions of dockremap are used to achieve automatic isolation.

Modify / etc/sysctl.conf first

# echo "user.max_user_namespaces=15076" > > / etc/sysctl.conf

Add the configuration item "userns-remap": "default" to / etc/docker/daemon.json

You need to be careful to modify this configuration. If you have already deployed a docker environment, if you enable this option, you will switch to an isolated environment, and the previous docker container will not be available!

[root@localhost docker] # cat / etc/subuiddockremap:100000:655362.3 sets the partition of docker

Create a separate partition for the container. The default partition is\ var\ lib\ docker\, which contains local images, containers, networks, and other related things.

[root@localhost docker] # ls / var/lib/docker

100000.100000 builder buildkit containers image network overlay2 plugins runtimes swarm tmp trust volumes

You can configure the default partition location using "data-root": ".

2.4 limit traffic between default bridge containers

When the Docker service is started, a forwarding policy is added to the FORWARD chain of the iptables by default. Whether the policy is passed (ACCEPT) or disabled (DROP) depends on the configuration-- icc=true (default) or-- icc=false. If you specify-- iptables=false manually, the iptables rule is not added.

By default, all network communication is allowed between containers on the same host on the default bridge, and if not, communication between all containers is restricted. Link specific containers that need to communicate, or create a custom network, and add only those containers that need to communicate with that custom network.

Configure to limit traffic between containers on the default bridge "icc": false

2.5 configuration Log

Configure the remote log in the set, set the logging process-- log-level level is info, logging format is json, local logging

"log-level": "info", "log-driver": "json-file", "log-opts": {"max-size": "10m", "max-file": "5", "labels": "somelabel", "env": "os,customer"}

Configure remote Log

The Docker logging driver receives the container log and forwards it to a remote destination or file. The default logging driver is json-file. It stores the container log on the local disk in JSON format. Docker has a plug-in architecture for logging, so there are plug-ins for open source and commercial tools:

Journald- stores the container log in the system log.

Syslog Driver- supports UDP,TCP,TLS

Fluentd-support for connecting TCP or Unix sockets to fluentd

Splunk-HTTP / HTTPS forward to Splunk server

Gelf-UDP logs are forwarded to Graylog2

Sample fluent

{"log-driver": "fluentd", "log-opts": {"fluentd-address": "fluentdhost:24224"}}

Use syslog

{"log-driver": "syslog", "log-opts": {"syslog-address": "udp://1.2.3.4:1111"}} 2.6 set ulimit

{"default-ulimits": {"nofile": {"Name": "nofile", "Hard": 64000, "Soft": 64000} 2.7.Setting cgroup

The-- cgroup-parent option allows you to set the default cgroup parent for the container. If this option is not set, the default is / docker for fs cgroup drivers and system.slice for systemd cgroup drivers.

If cgroup has a forward slash (/), the cgroup is created under the root cgroup, otherwise the cgroup is created under the daemon cgroup.

Assuming that the daemon runs in cgroup daemoncgroup,-- cgroup-parent=/foobar creates a cgroup in / sys/fs/cgroup/memory/foobar, while using-- cgroup-parent=foobar creates a cgroup in / sys/fs/cgroup/memory/daemoncgroup/foobar.

The systemd cgroup driver has different rules for-cgroup-parent. Systemd represents the hierarchy by slice, and the name of the slice encodes the location in the tree. Therefore, the-- cgroup-parent of systemd cgroup should be the slice name. The name can contain a series of names separated by dashes that describe the path from the root slice to the slice. For example,-- cgroup-parent=user-a-b.slice means that the container's memory cgroup is created in / sys/fs/cgroup/memory/user.slice/user-a.slice/user-a-b.slice/docker-.scope.

You can also set it using the container run, using the-- cgroup-parent option on docker create and docker run, which takes precedence over the-- cgroup-parent option on the daemon.

2.8Config seccomp

The test configuration file used to prohibit the use of the chmod command in Docker

Https://github.com/docker/labs/blob/master/security/seccomp/seccomp-profiles/default-no-chmod.json[root@localhost docker] # docker run-- rm-it alpine sh/ # ls bin etc lib mnt proc run srv tmp vardev home media opt root sbin sys usr / # touch foo.sh/ # chmod + x foo.shchmod: foo.sh: Operation not permitted/ # exit

You can actually disable, allow, and alarm some system-related calls. Refer to: https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl

2.9 configure containers that support no daemons

-- live-restore ensures that the container is not affected when the docker daemon shuts down.

After shutting down the docker daemon during testing, the nginx container still provides access normally.

2.10 disable the experimental features of docker

Set "experimental": false

2.11 restrict the container from claiming rights through suid or sgid

The no-new-privileges security option prevents application processes within the container from gaining new privileges during execution.

For example: there is a program that has the setuid/setgid bit set in the image, such as sudo, and the process in the container also has (file) permission to execute the program, and any attempt to obtain privileges through a facility such as setuid/setgid will be denied.

3. Daemon configuration example (Linux)

{"authorization-plugins": [], / / access authorized plug-in "data-root": ", / / the root directory of persistent storage of docker data. Default is / var/lib/docker" dns ": [], / DNS server" dns-opts ": [], / / DNS configuration option Such as port "dns-search": [], / DNS search domain name "exec-opts": [], / execution option "exec-root": ", / / root directory of files in execution status" experimental ": whether false,// enables experimental features" features ": {}, / / enables or disables specific functions. For example, {"buildkit": true} makes buildkit the default docker image builder. "storage-driver": ", / / Storage drive type" storage-opts ": [], / Storage option" labels ": [], / / key value pairing marks docker metadata" live-restore ": whether true,//dockerd hangs up to keep the container alive (avoiding container exit caused by docker service exception)" log-driver ":" json-file " / / Container log driver "log-opts": {"max-size": "10m", "max-file": "5", "labels": "somelabel", "env": "os,customer"}, / / options for container log "mtu": 0chartback / set container network MTU (maximum transmission unit) "pidfile": ", / / location of the daemon PID file" cluster-store ":" / / URL "cluster-store-opts" of the clustered storage system: {}, / / configure the clustered storage "cluster-advertise": "", / / external address name "max-concurrent-downloads": 3Maximum concurrency of each pull process "max-concurrent-uploads": 5ppm / set maximum concurrency of each push process "default-shm-size": "64m" / / set the default shared memory size "shutdown-timeout": 15Grampact / set the timeout for closing "debug": true,// enable debug mode "hosts": [], / / the listening address of the dockerd daemon "log-level": ", / / log level" tls ": true,// enables the transport layer security protocol TLS" tlsverify ": true / / enable the transport layer security protocol and verify the remote address "tlscacert": ", / / CA signature file path" tlscert ":", / / TLS certificate file path "tlskey": ", / / TLS key file path" swarm-default-advertise-addr ":", / / swarm external address "api-cors-header": "" / / set CORS (cross-domain resource sharing-Cross-origin resource sharing) header "selinux-enabled": false,// enable selinux (mandatory access control for users, processes, applications, files) "userns-remap": ", / / set user / group" group ":", / / docker group "cgroup-parent": " / / set the parent class "default-ulimits" of the cgroup of all containers: {"nofile": {"Name": "nofile", "Hard": 64000, "Soft": 64000}}, / / set the ulimit "init" of all containers: the false,// container performs initialization To forward signals or control (reap) process "init-path": "/ usr/libexec/docker-init", / / path of docker-init file "ipv6": false,// supports IPV6 network "iptables": false,// opens firewall rule "ip-forward": false,// opens net.ipv4.ip_forward "ip-masq": false / / enable ip masking (technology for rewriting source IP address or destination IP address when IP packets pass through a router or firewall) "userland-proxy": false,// user space agent "userland-proxy-path": "/ usr/libexec/docker-proxy", / / user space agent path "ip": "0.0.0.0", / / default IP "bridge": "" / / attach the container (attach) to the bridge logo "bip": "" on the bridged network, / / specify the bridging IP "fixed-cidr": ", / / (ipv4) subnetting That is, limit the range of ip address allocation. Used to control the network segment to which the container belongs to achieve network access between containers (the same host or between different hosts) "fixed-cidr-v6": ", / / (ipv6) subnetting" default-gateway ":", / / default gateway "default-gateway-v6": ", / / default ipv6 gateway" icc ": false,// container communication" raw-logs ": false / / original log (no color, full timestamp) "allow-nondistributable-artifacts": [], / / registry repository "registry-mirrors" submitted for products not for distribution: [], / / registry warehouse image acceleration address "seccomp-profile": ", / / seccomp configuration file" insecure-registries ": [], / / configure non-https registry address" no-new-privileges ": false / / disable new priority "default-runtime": "runc", / / OCI Alliance (The Open Container Initiative) default runtime environment "oom-score-adjust":-500 oom-score-adjust / priority of memory overflow killed (- 1000 million 1000) "node-generic-resources": ["NVIDIA-GPU=UUID1", "NVIDIA-GPU=UUID2"] / / publicly published resource node "runtimes": {"cc-runtime": {"path": "/ usr/bin/cc-runtime"}, "custom": {"path": "/ usr/local/bin/my-runc-replacement", "runtimeArgs": ["--debug"]}}, / / Runtime "default-address-pools": [{"base": "172.80.0.0ly16" "size": 24}, / / default dhcp allocation address {"base": "172.90.0.0 dhcp 16", "size": 24}]} answers to questions about how to configure daemon security in Docker are shared here I hope the above content can help you to a certain extent, if you still have a lot of doubts to be solved, you can follow the industry information channel to learn more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.