--LXCFS security reinforcement of Docker

In the last chapter we talked about security docker container, then again in this chapter we are speaking about lxcfs to provide container resource visibility.
lxcfs FUSE is an open source (user mode file system) support to achieve LXC container.
LXCFS user mode through the file system to provide the following in a container file procfs:

/proc/cpuinfo
/proc/diskstats
/proc/meminfo
/ Proc / State
/proc/swaps
/proc/uptime

For example, after the host computer / var / lib / lxcfs / proc / memoinfo mount Docker container file / proc / meminfo position. When the container process reads the file contents, LXCFS of FUSE implementation will read the correct memory limit from the container in the corresponding Cgroup. So that the correct application of resource-constrained settings

First, the use of docker container LXCFS enhanced visibility of resources and isolation

In the last chapter we have done a container resource control, but we have noticed that when we look at the system resources, it was found that the data does not appear those of us, so obviously unreasonable.
1. Install LXCFS

[root@server1 ~]# ls
busybox.tar    distroless.tar  lxcfs-2.0.5-3.el7.centos.x86_64.rpm  ubuntu.tar
convoy         docker          nginx.tar
convoy.tar.gz  game2048.tar    rhel7.tar
[root@server1 ~]# yum install -y lxcfs-2.0.5-3.el7.centos.x86_64.rpm 
安装完lxcfs之后，会在/var/lib目录下生成lxcfs目录。只是/var/lib/lxcfs目录中没有内容。

2. Start lxcfs

[root@server1 ~]# cd /var/lib/lxcfs/
[root@server1 lxcfs]# ls
[root@server1 lxcfs]# lxcfs /var/lib/lxcfs/ &	启动lxcfs，但是注意按回车结束，不要使用ctrl+c，否则就直接结束lxcfs进程
[1] 2458
[root@server1 lxcfs]# hierarchies:
  0: fd:   5: pids
  1: fd:   6: hugetlb
  2: fd:   7: perf_event
  3: fd:   8: blkio
  4: fd:   9: cpuacct,cpu
  5: fd:  10: memory
  6: fd:  11: cpuset
  7: fd:  12: net_prio,net_cls
  8: fd:  13: freezer
  9: fd:  14: devices
 10: fd:  15: name=systemd

[root@server1 lxcfs]# cd
[root@server1 ~]# cd /var/lib/lxcfs/	启动后自动生成cgroup目录和proc目录
[root@server1 lxcfs]# ls
cgroup  proc
[root@server1 lxcfs]#

Use ps ax command to see lxcfs process
Here Insert Picture Description
3.docker use test data volume of lxcfs

[root@server1 ~]# docker run -it --name vm4 -m 200m \
> -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo \
> -v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
> -v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
> -v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
> -v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
> -v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
> ubuntu
root@3acc5223e233:/# free -m
             total       used       free     shared    buffers     cached
Mem:           200          5        194         16          0          0
-/+ buffers/cache:          5        194
Swap:          200          0        200
root@3acc5223e233:/# 
看一看到我们的容器的内存大小是我们设置的那样

Note:
not directly to the / var / lib / lxcfs / proc directory is mounted to the next / proc directory in the container, because under / proc directory within the container itself is content, it is the process of system information, etc., if directly / var / lib / lxcfs / proc mounted to the directory / proc directory within the container, the contents of the container will be covered under the / proc directory, the recording / proc is the process container directory information, and more, can not be coverage, it is not directly to / var / lib / lxcfs / proc mounted to the directory / proc directory within the container.

Second, set the privilege level to run container: -privileged = true

Sometimes we need a container with more privileges, such as operating kernel module, control swap swap partition, mount the USB disk, modify the MAC address.
After we build the vessel, the vessel permission to enter the root account is limited, not the real root user.
Here Insert Picture Description
Join -privileged = true parameter, it obtained the root user with administrator privileges.

-privileged = true authority is very large, the host close to the authority, in order to prevent abuse of the user, need to increase the limit, only to the necessary permissions container. At this point Docker provides a mechanism for permission whitelist, use -cap-add to add the necessary permissions.
Here Insert Picture Description

The idea of strengthening security

1. To ensure the safety of the mirror

Use secure base image
Remove the mirror in the setuid and setgid permissions
Enable content Docker trust
Minimum Installation Guidelines
Of security vulnerability scanning mirror, mirror security scanner: Clair
Containers using non-root users to run

2. ensure the safety of the vessel

Docker host of safety reinforcement
Limit network traffic between the container
Docker configuration daemon TLS authentication
Enable user namespace support
Memory usage restrictions container
CPU priority appropriately provided containers

3. The main kernel subsystems have no namespace, such as:

SELinux
cgroup
In the / sys file system
/proc/sys, /proc/sysrq-trigger, /proc/irq, /proc/bus

4. The device does not have a namespace:

/ Dev / mem
/ Dev / sd * File System Devices
Kernel Module

If the process of one of them you can communicate or attack as a privilege, you can have your own system.