ÔõÑùÔÚLinuxÉÏÉèÖÃÈÝÆ÷Çå¾²
ÔõÑùÔÚlinuxÉÏÉèÖÃÈÝÆ÷Çå¾²
Ëæ×ÅÈÝÆ÷ÊÖÒÕµÄѸËÙÉú³¤£¬Ô½À´Ô½¶àµÄÆóÒµºÍ¿ª·¢Õß×îÏȽ«Ó¦ÓóÌÐò°²ÅÅÔÚÈÝÆ÷ÖС£È»¶ø£¬ÔÚÏíÊÜÈÝÆ÷´øÀ´µÄ±ãµ±ÐÔµÄͬʱ£¬ÎÒÃÇÒ²ÐèÒª¹Ø×¢ÈÝÆ÷Çå¾²ÐÔµÄÎÊÌâ¡£±¾ÎĽ«ÏÈÈÝÔõÑùÔÚlinuxÉÏÉèÖÃÈÝÆ÷Çå¾²£¬°üÀ¨ÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏʹÓÃÈÝÆ÷¸ôÀëÊÖÒÕ¡¢ÒÔ¼°Éó¼ÆÈÝÆ÷Ô˶¯µÈ¡£
ÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏî
ÈÝÆ÷ÔËÐÐʱÊÇÈÏÕæÖÎÀíÈÝÆ÷ÉúÃüÖÜÆÚµÄ×é¼þ£¬ÈçDockerÖеÄDocker Engine¡£ÎªÁËÌá¸ßÈÝÆ÷µÄÇå¾²ÐÔ£¬ÎÒÃÇ¿ÉÒÔͨ¹ýÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏîÀ´ÏÞÖÆÈÝÆ÷µÄȨÏÞ¡£
ÀýÈ磬ÎÒÃÇ¿ÉÒÔΪÈÝÆ÷ÉèÖÃÒ»¸öÖ»¶ÁµÄ¸ùÎļþϵͳ£¬Õ¥È¡ÈÝÆ÷¶ÔËÞÖ÷»úÉϵÄÃô¸ÐÎļþ¾ÙÐÐÐ޸ģº
docker run --read-only ...
µÇ¼ºó¸´ÖÆ
±ðµÄ£¬ÎÒÃÇ»¹¿ÉÒÔʹÓÖcap-addºÍ–cap-drop²ÎÊýÀ´ÏÞÖÆÈÝÆ÷ÖеÄȨÏÞ£¬Ö»¸¶ÓëÈÝÆ÷ÐèÒªµÄ×îС²Ù×÷ȨÏÞ£º
docker run --cap-add=NET_ADMIN ... docker run --cap-drop=all ...
µÇ¼ºó¸´ÖÆ
ʹÓÃÈÝÆ÷¸ôÀëÊÖÒÕ
ÈÝÆ÷¸ôÀëÊÖÒÕÊÇ°ü¹ÜÈÝÆ÷Ö®¼äÏ໥¸ôÀëµÄÖ÷ÒªÊֶΡ£LinuxÄÚºËÌṩÁ˶àÖÖÈÝÆ÷¸ôÀëµÄ»úÖÆ£¬°üÀ¨ÃüÃû¿Õ¼ä¡¢cgroupsºÍSecCompµÈ¡£
ÃüÃû¿Õ¼ä£¨Namespace£©¿ÉÒÔ½«Ä³¸öÀú³Ì¼°Æä×ÓÀú³ÌµÄ×ÊÔ´¸ôÀëÆðÀ´£¬Ê¹ÆäÔÚÒ»¸öÃüÃû¿Õ¼äÖÐÔËÐУ¬¶ø²»ÓëÆäËûÈÝÆ÷¹²Ïí×ÊÔ´¡£ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃunshareÏÂÁîÔÚÒ»¸öеÄÃüÃû¿Õ¼äÖÐÆô¶¯ÈÝÆ÷£º
unshare --mount --pid --net --uts --ipc --user --fork --mount-proc docker run ...
µÇ¼ºó¸´ÖÆ
cgroups£¨Control Groups£©ÔÊÐíÎÒÃǶÔÈÝÆ÷ÖеÄ×ÊÔ´¾ÙÐÐÏÞÖƺÍÓÅÏȼ¶¿ØÖÆ£¬ÈçCPU¡¢ÄÚ´æ¡¢´ÅÅÌIOµÈ¡£ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃcgcreateÏÂÁÉèÒ»¸öcgroup£¬²¢ÏÞÖÆÈÝÆ÷µÄCPUʹÓÃÂÊΪ50%£º
cgcreate -g cpu:/mygroup echo 50000 > /sys/fs/cgroup/cpu/mygroup/cpu.cfs_quota_us
µÇ¼ºó¸´ÖÆ
SecComp£¨Secure Computing Mode£©ÊÇÒ»¸öÓÃÓÚ¹ýÂËϵͳŲÓõÄÇå¾²»úÖÆ£¬ÔÚÈÝÆ÷ÖпÉÒÔʹÓÃSecCompÀ´ÏÞÖÆÈÝÆ÷¶ÔÃô¸ÐϵͳŲÓõĻá¼û¡£ÀýÈ磬ÎÒÃÇ¿ÉÒÔʹÓÃseccomp²ÎÊýÀ´ÆôÓÃSecComp²¢ÉèÖÃϵͳŲÓùæÔò£º
docker run --security-opt seccomp=/path/to/seccomp.json ...
µÇ¼ºó¸´ÖÆ
Éó¼ÆÈÝÆ÷Ô˶¯
Éó¼ÆÈÝÆ÷Ô˶¯ÊÇʵÏÖÈÝÆ÷Çå¾²µÄÖ÷ÒªÊÖ¶ÎÖ®Ò»¡£Í¨¹ýÉó¼Æ£¬ÎÒÃÇ¿ÉÒԼͼºÍ¼à¿ØÈÝÆ÷µÄÐÐΪ£¬ÊµÊ±·¢Ã÷DZÔÚµÄÇå¾²ÎÊÌâ¡£
LinuxÄÚºËÌṩÁËaudit×Óϵͳ£¬¿ÉÒÔÓÃÓÚÉó¼ÆºÍ¸ú×ÙϵͳÖеÄÔ˶¯¡£ÎÒÃÇ¿ÉÒÔʹÓÃauditctlÏÂÁîÀ´ÉèÖÃÉó¼Æ¹æÔò²¢¿ªÆôÉó¼Æ¹¦Ð§£º
auditctl -w /path/to/container -p rwxa auditctl -w /path/to/host -p rwxa auditctl -w /path/to/filesystem -p rwxa auditctl -w /path/to/network -p rwxa
µÇ¼ºó¸´ÖÆ
ÒÔÉÏÏÂÁ¼à¿ØÈÝÆ÷¼°ÆäËùÔÚËÞÖ÷»úÉÏÖ¸¶¨Â·¾¶µÄÎļþϵͳºÍÍøÂçÔ˶¯£¬²¢¼Í¼Ïà¹ØÉó¼ÆÈÕÖ¾¡£
½YÓï
ͨ¹ýÉèÖÃÈÝÆ÷ÔËÐÐʱµÄÇ徲ѡÏʹÓÃÈÝÆ÷¸ôÀëÊÖÒÕÒÔ¼°Éó¼ÆÈÝÆ÷Ô˶¯£¬ÎÒÃÇ¿ÉÒÔÓÐÓÃÌá¸ßLinuxÉÏÈÝÆ÷µÄÇå¾²ÐÔ¡£È»¶ø£¬ÈÝÆ÷Çå¾²ÊÇÒ»¸öÖØ´óµÄ»°Ì⣬ÐèÒª×ÛºÏ˼Á¿¶à¸öÒòËØ¡£³ýÁËÒÔÉÏÏÈÈݵÄÒªÁ죬ÉÐÓÐÐí¶àÆäËûÇå¾²²½·¥¿É¹©Ñ¡Ôñ¡£Ï£Íû±¾ÎÄÄܹ»ÎªÄúÌṩһЩÓÐÓõÄÐÅÏ¢£¬×ÊÖúÄú¸üºÃµØ°ü¹ÜÈÝÆ÷Çå¾²¡£
²Î¿¼×ÊÁÏ£º
Docker Documentaion. https://docs.docker.com/
Red Hat Container Security Guide. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_containers/
Linux Audit – Documentation. http://man7.org/linux/man-pages/man7/audit.7.html
ÒÔÉϾÍÊÇÔõÑùÔÚLinuxÉÏÉèÖÃÈÝÆ÷Çå¾²µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡