文章目录
1、命名空间隔离的安全
当docker run启动一个容器时,Docker将在后台为容器创建一个独立的命名空间。命名空间提供了最基础也最直接的隔离。
[root@server2 30970]# docker run -d --name demo nginx
[root@server2 ~]# docker inspect demo | grep Pid
"Pid": 30970,
[root@server2 3]# cd /proc/30970/
[root@server2 30970]# cd ns/
[root@server2 ns]# ls
ipc mnt net pid user uts
控制组资源控制的安全
当docker run启动一个容器时,Docker将在后台为容器创建一个独立的控制组策略集合。
[root@server2 ns]# cd /sys/fs/cgroup/
[root@server2 cgroup]# ls
[root@server2 cgroup]# cd cpu
[root@server2 cpu]# ls
[root@server2 cpu]# cd docker/
[root@server2 docker]# ls
b98f6dc220c0f70b520975a632810e4947e4a08e1fe744fda6043dd2faf89725 cpu.cfs_quota_us
[root@server2 docker]# docker ps
b98f6dc220c0
2、容器资源控制
CPU限额
cpu_period 和 cpu_quota 这两个参数需要组合使用,用来限制进程在长度为 cpu_period 的一段时间内,只能被分配到总量为 cpu_quota 的CPU 时间,以上设置表示20%的cpu时间。
[root@server2 docker]# cat cpu.cfs_quota_us
-1
[root@server2 docker]# cat cpu.cfs_period_us
100000
[root@server2 docker]# docker run --help | grep cpu
[root@server2 docker]# docker run -it --rm --cpu-quota 20000 ubuntu
root@a0e416f049c8:/# dd if=/dev/zero of=/dev/null &
[1] 10
[root@server2 ~]# top
[root@server2 ~]# cd /sys/fs/cgroup/
[root@server2 cgroup]# cd cpu/docker/
[root@server2 docker]# cd a0e416f049c847d4dffafaede73b048507bcc68f305bf3ae86728d4a67ba5cd9/
[root@server2 a0e416f049c847d4dffafaede73b048507bcc68f305bf3ae86728d4a67ba5cd9]# ls
[root@server2 a0e416f049c847d4dffafaede73b048507bcc68f305bf3ae86728d4a67ba5cd9]# cat cpu.cfs_quota_us
20000
[root@server2 a0e416f049c847d4dffafaede73b048507bcc68f305bf3ae86728d4a67ba5cd9]# cat tasks
1827
1955
[root@server2 cpu1]# docker run -it --rm ubuntu
root@a1844e65ebe9:/# dd if=/dev/zero of=/dev/null &
[1] 9
root@a1844e65ebe9:/# [root@server2 cpu1]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a1844e65ebe9 ubuntu "/bin/bash" 49 seconds ago Up 48 seconds funny_edison
[root@server2 cpu1]# docker run -it --rm ubuntu
root@ddfec7bec2a0:/# dd if=/dev/zero of=/dev/null &
[1] 9
[root@server2 a1844e65ebe9d8a1c89dff07b51319e47aa6aad60a404ae31e9bbec897120894]# cat cpu.shares
1024
[root@server2 ~]# docker run -it --rm --cpu-shares 512 ubuntu
root@40cb76c90c56:/# dd if=/dev/zero of=/dev/null
内存限制
容器可用内存包括两个部分:物理内存和swap交换分区。
docker run -it --memory 200M --memory-swap=200M ubuntu
–memory设置内存使用限额
–memory-swap设置swap交换分区限额
[root@server2 docker]# pwd
/sys/fs/cgroup/memory/docker
[root@server2 docker]# yum install -y libcgroup-tools.x86_64
[root@server2 memory]# mkdir x1
[root@server2 memory]# cd x1/
[root@server2 x1]# cat memory.limit_in_bytes
9223372036854771712
[root@server2 x1]# free -m
[root@server2 x1]# echo 209715200 > memory.limit_in_bytes
[root@server2 x1]# cat memory.limit_in_bytes
209715200
[root@server2 x1]# cd /dev/shm/
[root@server2 shm]# dd if=/dev/zero of=bigfile bs=1M count=100
[root@server2 shm]# free -m
[root@server2 ~]# vim /etc/cgrules.conf
删除配置
[root@server2 ~]# systemctl restart cgred.service
[root@server2 ~]# su - linux
Last login: Mon Feb 1 03:07:23 CST 2021 on pts/0
[linux@server2 ~]$ cd /dev/shm/
[linux@server2 shm]$ dd if=/dev/zero of=bigfile bs=1M count=200
[linux@server2 shm]$ dd if=/dev/zero of=bigfile bs=1M count=30
[root@server2 ~]# docker run -it --rm --memory 200M --memory-swap 200M ubuntu
[root@server2 ~]# cd /sys/fs/cgroup/memory/
[root@server2 memory]# cd docker/
[root@server2 eb09eb04a5f2fa029039d485e1be7e87058d8123d1c4a4c20436ee057d138cd6]# cat memory.memsw.limit_in_bytes
209715200
[root@server2 eb09eb04a5f2fa029039d485e1be7e87058d8123d1c4a4c20436ee057d138cd6]# cat memory.limit_in_bytes
209715200
[root@server2 ~]# docker run -d --name demo --memory 200M --memory-swap 200M nginx
abd6bc88a71b17c0278a874f7fd2741cf353697ca70813a3116673c7abefd9c2
[root@server2 ~]# docker ps
[root@server2 ~]# docker run -it --rm --memory 200M --memory-swap 200M ubuntu
root@e0db203a15a1:/# free -m
Block IO限制
[root@server2 ~]# cd /sys/fs/cgroup/blkio/
[root@server2 blkio]# ls
[root@server2 blkio]# docker run -it --device-write-bps /dev/vda:30MB ubuntu
root@c545ff3f7779:/# dd if=/dev/zero of=bigfile bs=1M count=100 oflag=direct
100+0 records in
100+0 records out
104857600 bytes (105 MB, 100 MiB) copied, 3.3175 s, 31.6 MB/s
3、 docker安全加固
利用LXCFS增强docker容器隔离性和资源可见性
[root@server2 ~]# yum install -y lxcfs-2.0.5-3.el7.centos.x86_64.rpm
[root@server2 ~]# lxcfs /var/lib/lxcfs &
[root@server2 ~]# cd /var/lib/lxcfs/
[root@server2 lxcfs]# ls
cgroup proc
设置特权级运行的容器:–privileged=true
设置容器白名单:–cap-add
4、docker machine实践
创建machine
[root@server1 ~]# mv docker-machine-Linux-x86_64-0.16.1 /usr/local/bin/docker-machine
[root@server1 ~]# chmod +x /usr/local/bin/docker-machine
[root@server2 ~]# rpm -q docker-ce
docker-ce-20.10.2-3.el7.x86_64
创建machine要求免密登陆远程主机
[root@server1 ~]# ssh-keygen
[root@server1 ~]# ssh-copy-id server2
创建主机(离线安装需要在目标主机提前装好doeker软件包)
[root@server1 ~]# docker-machine create --driver generic --generic-ip-address 192.168.0.2 server2
[root@server1 ~]# rpm -qa | grep docker
[root@server1 ~]# docker-machine env server2
管理machine:连接远程docker主机时需要执行以下命令,但不方便
[root@server2 ~]# rpm -qa | grep docker
docker-ce-rootless-extras-20.10.2-3.el7.x86_64
docker-ce-20.10.2-3.el7.x86_64
docker-ce-cli-20.10.2-3.el7.x86_64
[root@server2 ~]# netstat -antlp
tcp6 0 0 :::2376 :::* LISTEN 24924/dockerd
[root@server1 server2]# docker-machine env server2
[root@server1 ~]# eval $(docker-machine env server2)
[root@server1 ~]# docker run -d --name demo nginx
安装bash脚本,使得行提示符更加的人性化:
[root@server1 ~]# cd /etc/bash_completion.d/
[root@server1 ~]# vim .bashrc
PS1='[\u@\h \W$(__docker_machine_ps1)]\$ '
[root@server1 ~]# logout
Connection to 192.168.0.1 closed.
[kiosk@foundation50 Desktop]$ ssh [email protected]
[root@server1 ~]# docker-machine env server2
[root@server1 ~]# eval $(docker-machine env server2)
[root@server1 ~ [server2]]#
自动下载 安装 配置
[root@foundation50 html]# vim docker-ce.repo
[root@server1 ~]# wget https://get.docker.com
[root@server1 ~]# mv index.html get-docker.sh
[root@server1 ~]# vim get-docker.sh
412 474
yum_repo="http://192.168.0.1/docker-ce.repo"
# install the correct cli version first
#if [ -n "$cli_pkg_version" ]; then
# $sh_c "$pkg_manager install -y -q docker-ce-cli-$cli_pkg_version"
#fi
$sh_c "$pkg_manager install -y -q docker-ce"
[root@server1 ~]# ssh-copy-id server3
[root@server1 ~]# scp get-docker.sh [email protected]:/var/www/html/
[root@server1 ~]# docker-machine create --driver generic --engine-install-url "http://192.168.0.100/get-docker.sh" --generic-ip-address 192.168.0.3 server3
[root@server1 ~]# docker-machine ls
[root@server1 ~]# docker-machine env server3
[root@server1 ~]# eval $(docker-machine env server3)
[root@server2 sysctl.d]# pwd
/etc/sysctl.d
[root@server2 sysctl.d]# cat docker.conf
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
[root@server2 sysctl.d]# scp docker.conf server3:/etc/sysctl.d/
[root@server3 sysctl.d]# ls
99-sysctl.conf docker.conf
[root@server3 sysctl.d]# sysctl --system
5、搭建yum源
[root@server3 yum.repos.d]# yum install docker-ce docker-ce-cli
[root@server3 docker-ce]# cd /var/cache/yum/x86_64/7Server/extras/packages/
[root@server3 packages]# cp * /var/www/html/docker-ce/
[root@server3 docker-ce]# cd /var/cache/yum/x86_64/7Server/
[root@server3 7Server]# cd docker/
[root@server3 docker]# ls
[root@server3 packages]# cp * /var/www/html/docker-ce/
[root@server3 docker-ce]# yum install -y createrepo
[root@server3 docker-ce]# createrepo .
[root@server3 docker-ce]# ls
[root@server3 docker-ce]# systemctl start httpd
[root@server3 yum.repos.d]# vim docker-ce.repo
[docker]
name=docker-ce
baseurl=http://192.168.0.3/docker-ce
gpgcheck=0
[root@server3 yum.repos.d]# yum clean all
[root@server3 yum.repos.d]# yum repolist
[root@server3 yum.repos.d]# yum install docker-ce docker-ce-cli
6、docker compose
docker compose是一种编排服务,可以让用户集群中部署分布式应用。
[root@server1 ~]# mkdir compose
[root@server1 ~]# cd compose/
[root@server1 compose]# ls
[root@server1 compose]# cat /etc/docker/daemon.json
{
"registry-mirrors": ["https://nmcjqb9k.mirror.aliyuncs.com"]
}
[root@server1 compose]# docker pull nginx
[root@server1 compose]# docker pull haproxy
[root@server1 compose]# vim docker-compose.yml
[root@server1 compose]# mkdir web1
[root@server1 compose]# echo web1 > web1/index.html
[root@server1 compose]# mkdir web2
[root@server1 compose]# echo web2 > web2/index.html
[root@server1 ~]# docker inspect haproxy
/usr/local/etc/haproxy/haproxy.cfg
[root@server1 compose]# mkdir haproxy
[root@server1 compose]# cd haproxy/
[root@server1 haproxy]# vim haproxy.cfg
[root@server1 haproxy]# docker run -d --name demo -v "$(pwd)"/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg haproxy
[root@server1 haproxy]# docker logs demo
[root@server1 haproxy]# docker rm -f demo
demo
[root@server1 haproxy]# cd ..
[root@server1 compose]# docker-compose up
[root@server1 compose]# docker-compose start
[root@server1 compose]# docker-compose ps
[root@server1 compose]# docker-compose stop web1
Stopping compose_web1_1 ... done
[root@server1 compose]# docker-compose logs web1