Creating kubernetes of advanced systems and read-only file read-only asp.net core container

Others 2019-06-24 12:41:15 views: null

Series catalog

Use docker to create a read-only file system

Container deployment to operation and maintenance applications has brought great convenience, but also brought some new security issues to consider, such as hacking into the container, the system-level or application-level file in the container to be modified, can cause incalculable loss (such as modifying the hosts file cause abnormal dns resolution, modify the web site lead to resources being embedded advertising, leading to the back-end logic is to change the permissions verification failure, etc., because it is distributed deployment, container resources which are modified very difficult to find). the solution to this problem is to create a container to create a read-only file system has. Here the use of docker run command and docker compose to create a container with read-only file system.

Create a read-only file system docker run the command

For example, to create a read-only file system redis container, you can execute the following command

docker run --read-only redis

docker compose / swarm create a read-only file system

yaml following exemplary layout document

version: '3.3'
 
services:
  redis:
    image: redis:4.0.1-alpine
    networks:
      - myoverlay
    read_only: true

networks:
  myoverlay:

Problem: Create a read-only file system looks good, but in fact there will always be a variety of problems, such as many applications to write temp files or write the log file, if you create a read-only container for such applications is likely to lead to application of normal start. for applications need to be written to the log file or temporarily fixed position, the host can mount a storage volume, while the container is read-only, but still mounted disc is readable and writable.

Create a read-only asp.net core container

We talked about above, a read-only file system when creating a container for added security, and how to address the needs of the write log files or temporary files such common problems. We try to create a read-only asp.net application, even without the use of any log components (ie not written to the log), still does not start properly mirror. in fact, to solve this problem is very simple, just put the environment variable COMPlus_EnableDiagnosticsvalue set for the 0can.

FROM microsoft/dotnet:2.2-aspnetcore-runtime AS base
WORKDIR /app
EXPOSE 52193

FROM microsoft/dotnet:2.2-sdk AS build
WORKDIR /src
COPY . .
WORKDIR "/src"
RUN dotnet build "ReadOnlyTest.csproj" -c Release -o /app

FROM build AS publish
RUN dotnet publish "ReadOnlyTest.csproj" -c Release -o /app

FROM base AS final
WORKDIR /app
ENV DOTNET_RUNNING_IN_CONTAINER=true
ENV DOTNET_CLI_TELEMETRY_OPTOUT=1

ENV COMPlus_EnableDiagnostics=0

COPY --from=publish /app .
ENTRYPOINT ["dotnet", "ReadOnlyTest.dll"]

Our brief introduction to these environmental variables

  • DOTNET_RUNNING_IN_CONTAINERValue is set to true indicates that the application is running in the container to help us get the operating environment of the program, and then depending on the decision-making environment (such as unit testing, it may be made according to the project is running in windows, linux or linux container test different strategies). of course, you can also set other environment variables to facilitate their use, such as your name to the key IsRunningInDocker, butDOTNET_RUNNING_IN_CONTAINER

  • DOTNET_CLI_TELEMETRY_OPTOUTWhether to output telemetry information, if one is set to shut down, so it will not dotnet.exe output telemetry information to the debug window.

  • COMPlus_EnableDiagnosticsToo much detailed information on this parameter No, but found that access to resources to turn this configuration can create read-only access aspnet application.

Microsoft officials also contains a base image in the name called ASPNETCORE_VERSIONenvironment variables, we can read it directly, such a public environment variable interest rates to avoid the trouble of manually setting and updating, and secondly, to facilitate the exchange and community (their own definition of constraints can only be used for internal team communication)

How do we use these environmental variables, other methods may be exposed to a helper in the program inside, such as

private bool InDocker { get { return Environment.GetEnvironmentVariable("DOTNET_RUNNING_IN_CONTAINER") == "true";} }

So that we can use it according to the actual needs.

Above us how to create a read-only file system docker run command and docker-compose. However kubernetes cluster, we need to use k8s orchestration method to create read-only file system. So how do you create a read-only file system k8s years. in fact, here it involves another advanced topics: that is k8s security policy (Pod security policies) we will introduce it in the next section.

Guess you like

Origin www.cnblogs.com/tylerzhou/p/11075201.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com