我知道docker守护进程需要runs as root所以我被告知这会导致一些安全隐患,例如如果容器被泄露,攻击者可以对主机的系统文件进行更改.
在发生攻击时,我可以采取哪些预防措施来减轻损害?
运行docker守护程序时是否应该注意一下这种做法?我已经考虑过让一个流浪汉向上移动vm并让docker在vm中运行.
only trusted users should be allowed to control your Docker daemon.
This is a direct consequence of some powerful Docker features.Specifically,Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container.
如果公开REST API,则应通过https进行公开.
Finally,if you run Docker on a server,it is recommended to run exclusively Docker in the server,and move all other services within containers controlled by Docker
关于VM,请参阅“Are Docker containers really secure?”
The biggest problem is everything in Linux is not namespaced. Currently,Docker uses five namespaces to alter processes view of the system: Process,Network,Mount,Hostname,Shared Memory.
While these give the user some level of security it is by no means comprehensive,like 07002.
In a KVM environment processes in a virtual machine do not talk to the host kernel directly. They do not have any access to kernel file systems like/sys
and/sys/fs
,/proc/*
.