Home PC Games Linux Windows Database Network Programming Server Mobile  
  Home \ Server \ Docker ecosystem security is gradually maturing     - Using Linux strace command trace / debug a program commonly used options (Linux)

- Tomcat installation under Linux (Server)

- Quota for Vsftpd do use disk quotas (Server)

- How to enhance the security of Linux systems (Linux)

- Use GNU / Linux broadcasting of television programs (Linux)

- Distributed Hadoop1.2.1 cluster installation (Server)

- How to use the process on the desktop xkill end Linux (Linux)

- Xmanager Remote Desktop connection CentOS (Linux)

- Ubuntu 14.04 next upgrade to GNOME 3.12 (Linux)

- The minimum initial use of the Linux operating system RancherOS feelings (Linux)

- Ubuntu clean up unnecessary disk space usage (Linux)

- VMware virtual machine to install CentOS 6.2 (Linux)

- apt-get and apt-cache show command examples (Linux)

- Qt signals and slots mechanism (Programming)

- Binary tree traversal recursive and non-recursive (cyclic) traversal achieve (Programming)

- Ubuntu 14.04 virtual machine switching desktop environments (Linux)

- Oracle table space rename and delete table space (Database)

- Getting Started with Linux system to learn: how to check in a package is installed on Ubuntu (Linux)

- Ubuntu rights management common commands (Linux)

- Linux network monitoring strategy (Linux)

  Docker ecosystem security is gradually maturing
  Add Date : 2018-11-21      
  When faced with the container technology, security is often an issue of most concern. Developers like container, operation and maintenance personnel are also some of their appreciation for me. But if used improperly, whether it be a security risk? We love all kinds of natural characteristics of the container program, but in terms of safety whether it will also be a short board? In today's article, I hope to lead you to understand some depth security mechanism around the vessel. Since this system specifically for container, so I will not come to discuss the length of the host node or by disabling the Linux daemon to reduce the attack surface of the subject class.

Read-only container system (Docker 1.5)

First, we can run a read-only container system. By specifying --read-only, rootfs vessel will start the read-only, any process such containers which are unable to write to the container itself. This means that when we are due to the emergence of applications vulnerabilities file upload behavior, due to its container rootfs read-only attribute is blocked. This will also prevent the application log record was written into the rootfs, so we may need to use a remote logging mechanism or a specified sub-volume to complete the related write operations.

Use (docs):

$ Docker run --read-only -v / icanwrite busybox touch / icanwrite here

User name space (Experimental)

Many people are eagerly looking forward to this feature. Currently, root privileges means that we also have a container with root privileges on the host. If we can achieve / bin in its own container which, it is also possible to add in any desired content, or even complete control of the host system. With the introduction of user-namespace, we will be able to ensure that the premise of a user with root privileges within the container, use uid: gid guarantee corresponding users / groups outside of the container in a non-highly privileged status. As a first stage, we can now be re-mapped for each domain instance root. As a next stage of development, we may be global mapping and mapping each container, but this capability is necessary or still under discussion.

Use (docs):

$ Docker daemon --userns-remap = default

Seccomp (Git master branch)

With the help of the namespace, we have been able to achieve permission to share. But in addition, we also need to load a specific container which can run control. Then you need to rely on seccomp - the so-called seccomp, in fact, safe computing model abbreviation. It allows everyone on the system call screening, so that we can define the system it needs to call for the application, and rejected all other unnecessary calls behavior. The following examples include a brief socket.json:


"DefaultAction": "SCMP_ACT_ALLOW",

"Syscalls": [


"Name": "socket",

"Action": "SCMP_ACT_ERRNO"




Its operating results would be as follows:

# Docker run -ti --rm --security-opt seccomp: tcpsocket.json Ubuntu bash

root @ 54fd6641a219: / # nc -l 555

nc: Operation not permitted

Nautilus Project

Currently Docker ecosystem is an important feature missing is to mirror the contents of the inspection. Earlier there was the article pointed out that the current Docker hub more than 30 per cent of official mirrors common security vulnerabilities exist, the news immediately caused an uproar. Docker aspect immediately begin treatment, and now all been released in Docker hub in the mirror before the formal launch of the official need to be scanned. Dockercon Europe at this conference, Docker released by the Nautilus project, which is an official mirror scanning service provided, allows us to more easily build content and high integrity.

Currently on Nautilus project has not been much official explanation, but we were aware of its runs in the background, and Docker side said they had to take to pull more than 74 million were protected. Recently, they have launched an investigation, to solicit user's actual needs. Here I can only be to provide some assumptions. First, Docker side said that the project will:

Mirroring Security Guarantee
Implementation component inventory / license management
Implement mirroring optimization
To achieve the basic function test

Here are a few features may be about to achieve:

Internal run Nautilus
Billing for a single image or a single node deployment

AppArmor profiles

By using AppArmor, you can use the configuration file for the function to be limiting. Profiles can be achieved very good control of particle size, but many people do not want to spend time in the preparation of the profile. Taking into account the importance of this type of configuration file for Docker container operation, Jessie Frazelle Docker defenders as one of the core, creating a bane to simplify the preparation of the difficulty of the configuration file. It can be used toml input file and generates and installation of AppArmor profiles. The profile can then be used to run Docker container, and use the same syntax as before:

docker run -d --security-opt = "apparmor: name_of_profile" -p 80:80 nginx

Docker security situation

All this can help us achieve our container security, of course Docker itself is also trying to reduce the difficulty of the implementation of related programs. This means that if you want to know all kinds of details related to this subject, you can check it out here GitHub corresponding partition and get all the latest advice.
- Ubuntu and derivatives installation Atom 0.104.0 (Linux)
- Copy Recovery using RMAN repository development environment (Database)
- Linux System Getting Started Learning: Disable HTTP forwarding wget in (Linux)
- ActiveMQ5.10.2 version configuration JMX (Linux)
- CentOS iptables firewall configuration (Linux)
- Android first line of code study notes (Programming)
- Linux basic introductory tutorial ---- regex basis (Linux)
- CentOS7 Minimal minimize installation and then install the GNOME graphical interface (Linux)
- To read the Linux ext3 / ext4 format partitions under Windows system software (Linux)
- fcntl file locking function add (Programming)
- Plasma 5.4 How to install on Kubuntu 15.04 (Linux)
- Ubuntu 14.04 / 14.10 how to install Mate 1.10.0 (Linux)
- Linux System Getting Started Tutorial: How to automatically set the JAVA_HOME environment variable on Linux (Linux)
- To install MySQL 5.6 binary packages under CentOS 6.4 64bit (Database)
- Ubuntu development Nodejs (Linux)
- A process of how to get the current traffic in GNU Linux (Linux)
- ORA-12545: Connection failed because the target host or object does not exist (Database)
- Compare Oracle MySQL (ICP) index condition pushdown is described (Database)
- nginx.conf Optimization (Server)
  CopyRight 2002-2022 newfreesoft.com, All Rights Reserved.