×ðÁú¿­Ê±¹ÙÍøµÇ¼

ÔõÑùÔÚLinuxÉÏÉèÖÃÈÝÆ÷Çå¾²

ÔõÑùÔÚlinuxÉÏÉèÖÃÈÝÆ÷Çå¾²

Ëæ×ÅÈÝÆ÷ÊÖÒÕµÄѸËÙÉú³¤£¬Ô½À´Ô½¶àµÄÆóÒµºÍ¿ª·¢Õß×îÏȽ«Ó¦ÓóÌÐò°²ÅÅÔÚÈÝÆ÷ÖС£È»¶ø£¬ÔÚÏíÊÜÈÝÆ÷´øÀ´µÄ±ãµ±ÐÔµÄͬʱ£¬ÎÒÃÇÒ²ÐèÒª¹Ø×¢ÈÝÆ÷Çå¾²ÐÔµÄÎÊÌâ¡£±¾ÎĽ«ÏÈÈÝÔõÑùÔÚlinuxÉÏÉèÖÃÈÝÆ÷Çå¾²£¬°üÀ¨ÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏʹÓÃÈÝÆ÷¸ôÀëÊÖÒÕ¡¢ÒÔ¼°Éó¼ÆÈÝÆ÷Ô˶¯µÈ¡£

ÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏî

ÈÝÆ÷ÔËÐÐʱÊÇÈÏÕæÖÎÀíÈÝÆ÷ÉúÃüÖÜÆÚµÄ×é¼þ£¬ÈçDockerÖеÄDocker Engine¡£ÎªÁËÌá¸ßÈÝÆ÷µÄÇå¾²ÐÔ£¬ÎÒÃÇ¿ÉÒÔͨ¹ýÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏîÀ´ÏÞÖÆÈÝÆ÷µÄȨÏÞ¡£

ÀýÈ磬ÎÒÃÇ¿ÉÒÔΪÈÝÆ÷ÉèÖÃÒ»¸öÖ»¶ÁµÄ¸ùÎļþϵͳ£¬Õ¥È¡ÈÝÆ÷¶ÔËÞÖ÷»úÉϵÄÃô¸ÐÎļþ¾ÙÐÐÐ޸ģº

docker run --read-only ...

µÇ¼ºó¸´ÖÆ

±ðµÄ£¬ÎÒÃÇ»¹¿ÉÒÔʹÓÖcap-addºÍ–cap-drop²ÎÊýÀ´ÏÞÖÆÈÝÆ÷ÖеÄȨÏÞ£¬Ö»¸¶ÓëÈÝÆ÷ÐèÒªµÄ×îС²Ù×÷ȨÏÞ£º

docker run --cap-add=NET_ADMIN ...
docker run --cap-drop=all ...

µÇ¼ºó¸´ÖÆ

ʹÓÃÈÝÆ÷¸ôÀëÊÖÒÕ

ÈÝÆ÷¸ôÀëÊÖÒÕÊÇ°ü¹ÜÈÝÆ÷Ö®¼äÏ໥¸ôÀëµÄÖ÷ÒªÊֶΡ£LinuxÄÚºËÌṩÁ˶àÖÖÈÝÆ÷¸ôÀëµÄ»úÖÆ£¬°üÀ¨ÃüÃû¿Õ¼ä¡¢cgroupsºÍSecCompµÈ¡£

ÃüÃû¿Õ¼ä£¨Namespace£©¿ÉÒÔ½«Ä³¸öÀú³Ì¼°Æä×ÓÀú³ÌµÄ×ÊÔ´¸ôÀëÆðÀ´£¬Ê¹ÆäÔÚÒ»¸öÃüÃû¿Õ¼äÖÐÔËÐУ¬¶ø²»ÓëÆäËûÈÝÆ÷¹²Ïí×ÊÔ´¡£ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃunshareÏÂÁîÔÚÒ»¸öеÄÃüÃû¿Õ¼äÖÐÆô¶¯ÈÝÆ÷£º

unshare --mount --pid --net --uts --ipc --user --fork --mount-proc docker run ...

µÇ¼ºó¸´ÖÆ

cgroups£¨Control Groups£©ÔÊÐíÎÒÃǶÔÈÝÆ÷ÖеÄ×ÊÔ´¾ÙÐÐÏÞÖƺÍÓÅÏȼ¶¿ØÖÆ£¬ÈçCPU¡¢ÄÚ´æ¡¢´ÅÅÌIOµÈ¡£ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃcgcreateÏÂÁÉèÒ»¸öcgroup£¬²¢ÏÞÖÆÈÝÆ÷µÄCPUʹÓÃÂÊΪ50%£º

cgcreate -g cpu:/mygroup
echo 50000 > /sys/fs/cgroup/cpu/mygroup/cpu.cfs_quota_us

µÇ¼ºó¸´ÖÆ

SecComp£¨Secure Computing Mode£©ÊÇÒ»¸öÓÃÓÚ¹ýÂËϵͳŲÓõÄÇå¾²»úÖÆ£¬ÔÚÈÝÆ÷ÖпÉÒÔʹÓÃSecCompÀ´ÏÞÖÆÈÝÆ÷¶ÔÃô¸ÐϵͳŲÓõĻá¼û¡£ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃseccomp²ÎÊýÀ´ÆôÓÃSecComp²¢ÉèÖÃϵͳŲÓùæÔò£º

docker run --security-opt seccomp=/path/to/seccomp.json ...

µÇ¼ºó¸´ÖÆ

Éó¼ÆÈÝÆ÷Ô˶¯

Éó¼ÆÈÝÆ÷Ô˶¯ÊÇʵÏÖÈÝÆ÷Çå¾²µÄÖ÷ÒªÊÖ¶ÎÖ®Ò»¡£Í¨¹ýÉó¼Æ£¬ÎÒÃÇ¿ÉÒԼͼºÍ¼à¿ØÈÝÆ÷µÄÐÐΪ£¬ÊµÊ±·¢Ã÷DZÔÚµÄÇå¾²ÎÊÌâ¡£

LinuxÄÚºËÌṩÁËaudit×Óϵͳ£¬¿ÉÒÔÓÃÓÚÉó¼ÆºÍ¸ú×ÙϵͳÖеÄÔ˶¯¡£ÎÒÃÇ¿ÉÒÔʹÓÃauditctlÏÂÁîÀ´ÉèÖÃÉó¼Æ¹æÔò²¢¿ªÆôÉó¼Æ¹¦Ð§£º

auditctl -w /path/to/container -p rwxa
auditctl -w /path/to/host -p rwxa
auditctl -w /path/to/filesystem -p rwxa
auditctl -w /path/to/network -p rwxa

µÇ¼ºó¸´ÖÆ

ÒÔÉÏÏÂÁ¼à¿ØÈÝÆ÷¼°ÆäËùÔÚËÞÖ÷»úÉÏÖ¸¶¨Â·¾¶µÄÎļþϵͳºÍÍøÂçÔ˶¯£¬²¢¼Í¼Ïà¹ØÉó¼ÆÈÕÖ¾¡£

½YÓï

ͨ¹ýÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏʹÓÃÈÝÆ÷¸ôÀëÊÖÒÕÒÔ¼°Éó¼ÆÈÝÆ÷Ô˶¯£¬ÎÒÃÇ¿ÉÒÔÓÐÓÃÌá¸ßLinuxÉÏÈÝÆ÷µÄÇå¾²ÐÔ¡£È»¶ø£¬ÈÝÆ÷Çå¾²ÊÇÒ»¸öÖØ´óµÄ»°Ì⣬ÐèÒª×ÛºÏ˼Á¿¶à¸öÒòËØ¡£³ýÁËÒÔÉÏÏÈÈݵÄÒªÁ죬ÉÐÓÐÐí¶àÆäËûÇå¾²²½·¥¿É¹©Ñ¡Ôñ¡£Ï£Íû±¾ÎÄÄܹ»ÎªÄúÌṩһЩÓÐÓõÄÐÅÏ¢£¬×ÊÖúÄú¸üºÃµØ°ü¹ÜÈÝÆ÷Çå¾²¡£

²Î¿¼×ÊÁÏ£º

Docker Documentaion. https://docs.docker.com/

Red Hat Container Security Guide. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_containers/

Linux Audit – Documentation. http://man7.org/linux/man-pages/man7/audit.7.html

ÒÔÉϾÍÊÇÔõÑùÔÚLinuxÉÏÉèÖÃÈÝÆ÷Çå¾²µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí£¬°æȨÕùÒéÓë±¾Õ¾Î޹أ¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Á¢³¡£¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ£¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢£¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢£¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎ壬9:30-18:30£¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ