A difference, Docker containers and virtual machines
1. isolation and sharing
By adding Virtual Machine Hypervisor layer, a virtual card, memory, CPU and other virtual hardware, and then create a virtual machine on which each virtual machine has its own kernel.
The Docker container is isolated by the way, the file system, process, equipment, networks, and other resources for isolation, and then the permissions, CPU resources, control, and ultimately affect each other between the container,
the container can not affect the host. Container and host shared kernel, file system, hardware and other resources.
docker容器共享同一个内核资源,而虚拟机是独立的使用的资源都是独立的。2. Performance and loss
Compared with the virtual machine, resource depletion container less. Under the same host, to establish the number of containers than the virtual machine. However, the security of virtual machines slightly better than the container,
from the virtual machine to break the host or another virtual machine, you need to break the Hypervisor layer, which is extremely difficult. The docker container and host shared kernel, file systems and other resources,
are more likely to have an impact on other containers, the host.
与虚拟机相比容器消耗资源要少的多,因为容器是共享内核的意味着,一个容器资源占用多,其他容器占用的就少,一个容器出现问题,其他容器都会出现问题,因此虚拟机安全性要比容器好Two, Docker security problems
1.Docker own vulnerability
As a Docker application itself will be implemented on a code defect. CVE official version of history record Docker total over 20 holes.
Commonly used methods are mainly
代码执行、权限提升、 信息泄露、权限绕过等。目前 Docker 版本更迭非常快,
Docker 用户最好将 Docker 升级为 最新版本。2. Docker source problem
Docker provides Docker hub, allowing users to upload image created for other users to download, to quickly build environment. But it also brings some security problems. For example, the following three ways:
(1) upload a malicious image if there is implanted in the production of mirror, backdoors and other malicious software, then the environment from the beginning has been unsafe, the follow-up but there is no security to speak of.
(镜像可能存爱*软件和病毒)(2) the use of mirrors on the flawed software Docker Hub can be downloaded from a mirror, the mirror 75% of all vulnerable software installed. So after downloading the image,
you need to check the software version information inside the corresponding version if there are loopholes, and update patched.
(老版本的镜像中环境有问题)(3) middleman tampering Mirror Mirror can be tampered with during transmission, the new version of the current Docker has provided the appropriate verification mechanism to prevent this problem.
You upload the image was hijacked middleman, tampering, this time you need TLS security certificate, go docker docker container security authentication server to do
Three, Docker architecture defects and security mechanism
Docker's own structure and mechanism could cause problems, such as a scene, has taken control of some containers on the host, or a way to get through the establishment of container on public cloud, then initiate ** on the host or other containers *.
** 1. LAN between the container *
Between the container on the host can constitute a local area network, and therefore for the LAN ARP spoofing, sniffing, broadcast storms and other ways they can spend.
Therefore, the deployment of a plurality of containers in a host requires reasonable allocation of network settings iptable rules.
** 2. DDoS * run out of resources
Cgroups security mechanism is to prevent this, do not allocate too many resources into a single container to avoid such problems.
3. There are loopholes in the system call
is an important distinction Docker Docker virtual machine is shared with the host operating system kernel.
Once the override or may be present in the host kernel privilege escalation vulnerability, although Docker used for normal users, in containers , the person may also be utilized to jump to the host kernel exploit do more.
4. Share the root user privileges
If you are running with root privileges container, root user in the container will have a host of root privileges.
Four, Docker baseline safety standards
The following summarizes the baseline Docker safety standards from the kernel, the host, network, image, and other containers six aspects.
1. kernel level
(1) to update the kernel.
(2) User NameSpace (root privileges within the container in a non-high privilege state outside of the container).
(3) Cgroups (resource quotas and metrics).
(4) SELiux / AppArmor / GRSEC ( control file access permissions).
(5) Capability (division of authority).
(6) Seccomp (defined system call).
(7) prohibits the naming space of the container and the host process name space sharing.
2. host level
(1) to create a separate partition for the container.
(2) run only necessary services.
(3) prohibits the mapping directory on the host sensitive to the container.
(4) for Docker daemon, audit-related files and directories.
(5) set appropriate default number of file descriptors.
(File descriptor: Kernel (Kernel) by using the file descriptor (file descriptor) to access the file descriptor nonnegative integer.
When a new file or open an existing file, the kernel returns a file descriptor to read and write files are required. file descriptor to specify the file to be read)
(6) of the user rights Docker root files associated access permissions should be 644 or less.
(7) periodic check list for each host vessel, and clean up unnecessary containers.
3. Network-level
(1) achieved prohibit or allow network traffic between the container through the iptables setting rule.
(2) allowing to modify Dokcer iptables.
(3) prohibits the Docker bind to other IP / Port or Unix Socket.
(4) prohibit privileged port mapping on the container.
(5) need only open the container port.
(6) prohibit the use of the host network mode on the container.
(7) if the host has a plurality of cards, will flow into the container to bind to a particular host card.
4. Mirror Level
(1) Create a local mirroring warehouse server.
(2) mirroring software to the latest version.
(3) using the trusted image files, and downloaded through secure channels.
(4) rebuild the mirror rather than the patch of container and mirror.
(5) a reasonable administrative image tag, promptly remove the images no longer in use.
(6) using a scanning mirror.
(7) Mirroring signature.
The container level
(1) of the container is minimized, the minimal set of operating system images.
(2) run as a single container main process.
(3) prohibit the use of privileged privileged marked containers.
(4) prohibit running ssh service on the container.
(5) the root of the system read-only mount the container.
(6) defined letter data belonging to the container.
(7) on-failure limit of the vessel by providing a number of attempts to restart the container repeatedly restart easily lost data.
(8) limit the available process tree in the vessel to prevent fork bomb. (Fork, the rapid growth of the child, depleted the number of system processes)
6. Other settings
(1) to the host system periodically and container security audit.
(2) use minimum resources and minimum permissions to run the container.
(3) avoid the deployment of a large container on the same host, maintained at a manageable number.
(4) monitor usage, and other performance indicators Docker containers.
(5) increase insecurity real-time detection and incident response capabilities.
(6) use centers and remote log collection service
Docker safety rules
Container minimization
如果仅在容器中运行必要的服务,像SSH等服务是不能轻易开启去连接容器的,通常使用以下方式来进入容器
docker exec -it bashdocker api access control
docker的远程调用API接口存在未授权访问漏洞
[root@localhost ~]# vim /usr/lib/systemd/system/docker.service
绑定unix通过docker,sock文件重新连接,-H绑定你的tcp端口,和地址
14 行
ExecStart=/usr/bin/dockerd -H unix:///var/run/docker.sock -H tcp://192.168.136.186:2323
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart docker
#永久配置,富语言规则,源地址,指定tcp端口,2323
[root@localhost ~]# firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.136.186" port protocol="tcp" port="2323" accept"
#重启防火墙
[root@localhost ~]# firewall-cmd --reload
successLimit traffic flow
防火墙的规则,外部的流量到内部会有控制,但是容器访问外面,防火墙会给这个请求一个序列号,当它回来的时候直接被防火墙信任,这个就存在了隐患
永久配置,指定public区域,对ipv4的地址进行管控,写上容器的地址,拒绝
[root@localhost ~]# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="192.168.136.0/24" reject"
success
[root@localhost ~]# firewall-cmd --reload
successOrdinary users to start using the service docker
使用用户映射,解决特定容器中的用户0在宿主系统上等于root的问题,LXC允许重新映射用户和组ID
#使用用户映射,对root用户创建一个虚拟用户,等同于宿主系统上的root权限File system limits
挂载的容器根目录绝对只读,而且不同容器对应的文件目录权限分离,优化每个容器在宿主上有单独分区
su test01
docker run -v dev:/home/mc_server/test01 -it centos:latest /bin/bash
su test02
docker run -v dev:/home/mc_server/test02 -it centos:latest /bin/bashMirroring Security
一般情况下,确保只从受信任的库中获取镜像,并且不要使用–insecure-registry=[]参数
这种证书验证只能确定你的身份是不是安全的,但是镜像安全保障不了Safety Docker client communications terminal and the Docker Daemon
为了放置链路劫持、会话保持等问题导致Docker通信时被中间人***,c/s两端应该通过加密方式通讯
[root@localhost harbor]# docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=0.0.0.0:2376Resource Control
资源,既可以降低安全风险,也不影响业务
docker run -tid -name ec2 -cpuset-cpus 3 -cpu-shares 2048 -memory 2048m -rm -blkio-weight 100 --pids--limit 512Host time to upgrade the kernel vulnerability
docker容器支持热迁移,但是要注意迁移和的IP地址,安装安全加固,使用内核补丁Avoid docker container leaked
检查dockerfile中制造镜像,比如ssh有没有开启,镜像有没有问题Log Analysis
收集并归档与Docker相关的安全日志来达到审核和监控的目的,使用rsyslog或stdout+ELK的方式进行日志收集、存储与分析
在宿主上使用一下命令在容器外部访问日志文件
docker run -v /dev/log:/dev/log <container_name> /bin/sh #做数据卷
Docker内置命令
docker logs -fDocker Bench for Security
是一个脚本,用于检查生产环境中部署Docker容器的几十个常见的最佳实践
环境安装
下载二进制文件后,将其添加到环境变量PATH中
[root@localhost ]# git clone
https://github.com/docker/docker-bench-security.git
[root@localhost ]# cd docker-bench-security
[root@localhost ]# sudo sh docker-bench-security.shulimit
可对包括core dump文件大小、进程数据段的大小、课创建文件的大小、常驻内存集大小、打开文件数、进程栈的大小、CPU时间、单个用户的最大线程数、进程的最大虚拟内存等类型的资源起到限制作用
设置CPU时间
docker daemon --default-ulimit cpu=1200
docker run --rm -ti --ulimit cpu=1200 ubuntu bash
##进入容器后查看
ulimit -tdocker-tls encrypted communications
为了防止链路劫持,会话保持等问题导致docker通信被中间人***,c/s两端应该通过加密方式通讯
[root@localhost ~]# hostnamectl set-hostname master
[root@localhost ~]# su
[root@master ~]# vim /etc/hosts
127.0.0.1 master
[root@master ~]# mkdir /tls
[root@master ~]# cd /tls/
//创建ca秘钥
[root@master tls]# openssl genrsa -aes256 -out ca-key.pem 4096
//创建ca证书
[root@master tls]# openssl req -new -x509 -days 1000 -key ca-key.pem -sha256 -subj "/CN=*" -out ca.pen
//创建服务器私钥
[root@master tls]# openssl genrsa -out server-key.pem 4096
//签名私钥
[root@master tls]# openssl req -subj "/CN=*" -sha256 -new -key server-key.pem -out server.csr
//使用ca证书与私钥证书签名、输入123123
[root@master tls]# openssl x509 -req -days 1000 -sha256 -in server.csr -CA ca.pen -CAkey ca-key.pem -CAcreateserial -out server-cert.pem
//生成客户端秘钥
[root@master tls]# openssl genrsa -out key.pem 4096
//签名客户端
[root@master tls]# openssl req -subj "/CN=client" -new -key key.pem -out client.csr
//创建配置文件
[root@master tls]# echo extendedKeyUsage=clientAuth > extfile.cnf
//签名证书,输入123123需要(签名客户端、ca证书、ca秘钥)
[root@master tls]# openssl x509 -req -days 1800 -sha256 -in client.csr -CA ca.pen -CAkey ca-key.pem -CAcreateserial -out cert.pem -extfile extfile.cnf
//删除多余文件
[root@master tls]# rm -rf ca.srl client.csr extfile.cnf server.csr
//配置docker
[root@master tls]# vim /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --tlsverify --tlscacert=/tls/ca.pen --tlscert=/tls/server-cert.pem --tlskey=/tls/server-key.pem -H tcp://0.0.0.0:2376 -H unix://var/run/docker.sock
//重启进程
[root@master tls]# systemctl daemon-reload
//重启服务
[root@master tls]# systemctl restart docker
//将/tls/ca.pen /tls/cert.pem /tls/key.pem三个文件复制到另一台主机
[root@master tls]# scp ca.pen [email protected]:/etc/docker
[root@master tls]# scp cert.pem [email protected]:/etc/docker
[root@master tls]# scp key.pem [email protected]:/etc/docker
[root@localhost ~]# hostnamectl set-hostname client
[root@localhost ~]# su
[root@client ~]# vim /etc/hosts
192.168.45.129 master
#client上测试
[root@client docker]# docker --tlsverify --tlscacert=ca.pen --tlscert=cert.pem --tlskey=key.pem -H tcp://master:2376 version