Docker 简明教程

Docker - Security

Docker 安全性对于确保容器化应用程序保持完全功能和可靠性至关重要。与 Docker 安全性相关的首要关注点之一是有效的容器隔离,以防止恶意活动传播。Docker 利用 Linux 内核命名空间和组或控制组来隔离进程和资源。

Docker security is crucial to ensure that the containerized application remains fully functional and reliable. One of the primary concerns associated with Docker security is effective container isolation not to let malicious activities propagate. Docker utilizes Linux kernel namespaces and groups or control groups to isolate processes and resources.

通过建立命名空间,每个容器都可以拥有一个独占的环境,并且无法直接访问其他容器持有的资源。另一方面,组限制容器可以消耗的资源,无论是 CPU、内存、磁盘 I/O 等,以保持公平的分配并防止系统耗尽。仅仅使用 Linux 内核的这些特性,Docker 就维护了一个出色的基线安全模型,从而有助于减轻常见的威胁。

By establishing namespaces, each container can possess an exclusive environment and not have direct access to the resources held by other containers. On the other hand, groups limit resources that a container can consume, be it the CPU, memory, disk I/O, etc. to keep distribution fair and the system from getting exhausted. Just using these features of the Linux kernel, Docker maintains an excellent baseline security model, thus helping to mitigate common threats.

镜像管理和正确处理 Docker 守护程序成为确保 Docker 安全的另一个关键领域。这包括确保镜像来自受信任的存储库并定期扫描漏洞,这是不部署受损容器的一种方式。用于验证镜像的完整性和安全性的典型工具是 Docker Content Trust 和镜像扫描服务。

It is the image management and proper handling of the Docker daemon that becomes another critical area in ensuring Docker security. This includes ensuring that images come from trusted repositories and are regularly scanned for vulnerabilities, a means of not deploying compromised containers. Exemplary tools that assist in the verification of images for both integrity and security are Docker Content Trust and Image scanning services.

在审查 Docker security 时需要考虑以下 four major areas

There are four major areas to consider when reviewing Docker security

  1. The intrinsic security of the kernel and support for namespaces and cgroups

  2. The attack surface that is exposed by the Docker daemon alone

  3. Loopholes in container configuration profiles either by default or when the user customizes them.

  4. The "hardening" security features of the kernel and how the security features interact with containers.

让我们在这章中讨论 Docker 容器安全的更多方面。

Let’s discuss more aspects of Docker Container Security in this chapter.

Kernel Namespaces

Namespace 基本是 Docker 用于隔离容器运行的东西。这些 namespace 将内核资源分区,其中一组进程看到一组资源,而另一组进程看到的是另一组资源。

Namespaces are basically what Docker uses to run the containers isolated. The namespaces partition kernel resources whereby a set of processes sees one set of resources, and another set of processes sees a different set of resources.

Docker 使用以下类型的 namespace -

Docker uses the following kinds of namespaces −

  1. PID Namespace − It isolates the process IDs, which means a process ID inside a container will be different from that on the host.

  2. Mount Namespace − This isolates mount points in the file system to ensure the isolation of file systems seen inside the container from those on the host.

  3. Network Namespace − Isolates the networking by interfaces, IP addresses, and routing tables.

  4. UTS Namespace − Isolates kernel and version identifiers.

  5. IPC Namespace − Isolates the IPC resources to message queues, semaphores, and shared memory, among others.

  6. User Namespace − Isolates user and group IDs, allowing the container to run as non-root inside the container but map to root on the host.

Docker 通过使用这些 Namespace 实现容器相互之间和主机之间的隔离。

Docker achieves the isolation of containers from each other and the host by using these namespaces.

Control Groups

Docker 的另一项基本安全特性是提供资源隔离和管理,即 Control Group。Cgroup 控制容器可以消耗的系统资源量,防止一个容器耗尽系统资源并吸附在主机的系统上到其他容器。

Another essential safety feature of Docker to provide resource isolation and management is Control groups. Cgroups control the amount of system resources a container can consume, preventing one single container from exhausting system resources and leeching on the host’s system to other containers.

Cgroup 提供的一些关键资源控制示例有 -

Some examples of crucial resource controls offered by groups are −

  1. CPU − Shares the CPU with the container and sets the container’s CPU usage limit.

  2. Memory − Constrains the memory usage by a container, and also the swap memory - to prevent a container from utilizing more memory than what is allocated.

  3. Disk I/O − Determines how quickly the program does reading and writing to a disk.

  4. Network − Manages bandwidth allocation for the network.

Docker 在容器之间对资源进行了公平分配,避免了资源争用,从而增强了整体系统稳定性和安全性。

Docker equally distributes resources among containers, avoiding resource contention, and thus enhancing overall system stability and security.

Docker Daemon Attack Surface

Docker 守护程序以 root 级权限运行,这是一个严重的安全问题。攻击者可以破坏它并控制整个主机系统。为减小攻击面,必须遵循最佳实践 −

The Docker daemon runs with root-level privileges, a serious security concern. An attacker can compromise it and gain control over the whole host system. To reduce the attack surface, best practices must be followed −

  1. Limit Access − Allow access to the Docker daemon only for specific users while controlling those who can run Docker commands - restricted access to secured communication with Unix socket permissions or TCP with TLS.

  2. Use Rootless Mode − Use Docker’s rootless mode as much as possible; with this mode, daemon and containers run without root privilege. It is regarded as one way to reduce the possibility of privilege escalation.

  3. Network Security − Ensure that the Docker daemon API is not exposed on the public Internet. If Docker daemon API access is required from remote places, secure it through firewall rules and VPN.

  4. Regular Updates − Keep Docker and the base OS updated to safeguard against any identified vulnerability.

Capabilities of the Linux Kernel

Linux 内核功能提供了对提供给进程的特权的细粒度控制。Docker 使用功能来减少可以分配给容器的特权数量,其中容器通常仅分配其操作所需的必要功能。以下功能正在使用中——

Linux kernel capabilities provide fine-grained controls over the privileges given to processes. Docker uses the capabilities to reduce the number of privileges a container can be allocated, where a container is historically allocated only the necessary capabilities for its operation. The following capabilities are in use −

  1. CAP_NET_BIND_SERVICE − Allow binding to ports below 1024.

  2. CAP_SYS_ADMIN − This capability allows many different system administration operations.

  3. CAP_SYS_PTRACE − This capability allows a process to trace other processes.

Docker 默认放弃许多功能,以减少特权升级的可能性。用户可以使用 --cap-add--cap-drop 选项分别在启动容器后添加或放弃其他特定功能,从而可以将安全配置文件微调到其应用程序的特定需求。

Docker drops many capabilities by default to lessen the potential for privilege escalation. Users can use the --cap-add and --cap-drop options to, respectively, add back in or drop additional specific capabilities upon launching containers, enabling fine-tuning of the security profile to the particular needs of their applications.

Docker Content Trust Signature Verification

Docker Content Trust (DCT) 提供图像签名和验证。这保证了图像未被篡改,并且来自它们出现的位置。当启用 DCT 时,Docker 将在拉取或运行之前检查图像的数字签名,以确保仅使用受信任的图像。

Docker Content Trust (DCT) provides image signing and verification. This guarantees the images are not tampered with and come from whomever they appear to be. When DCT is enabled, Docker will check the digital signatures of the images before pulling or running, ensuring the usage of only trusted images.

以下是一些让 DCT 成为安全供应链如此重要组成部分的关键特性−

Here are some of the key features that make DCT such an essential part of your secure supply chain −

  1. Image Signing − The developers can sign images using their private keys.

  2. Signature Validation − Docker verifies these signatures against the public keys associated with the attached to ensure that the image is either unchanged or tamper-free.

  3. Immutable Tags − Protect against accidental overwrites of signed images.

启用 DCT 支持增强整个系统的安全性,从而仅部署经过验证和受信任的图像,否则从被篡改或恶意的图像中得到保护。

Enabling DCT supports the added security of the overall system, whereby only verified and trusted images are deployed, otherwise safeguarded from tampered or malevolent images.

Other Kernel Security Features

除了名称空间、组和功能之外,其他增强 Docker 中安全性的 Linux 内核安全特性如下——

Other Linux kernel security features that enhance security in Docker apart from namespaces, groups, and capabilities are as follows −

Seccomp (Secure Computing Mode)

Linux 中的一个内核特性,可用于过滤容器可以进行的特定系统调用,从而降低执行潜在危险操作的能力。Docker 使用 seccomp 配置文件来定义允许和拒绝的系统调用。

A kernel feature in Linux that can be used to filter out the particular system calls a container can make, thus reducing the ability to perform potentially unsafe operations. Docker makes use of seccomp profiles to define allowed and denied system calls.

AppArmor 是一种限制应用程序的应用程序,它限制了 Linux 中的程序行为。Docker 使用 AppArmor 配置文件对容器应用强制访问控制规则,从而限制了它们的权限。

AppArmor is a confinement application that confines program behavior in Linux. Docker uses AppArmor profiles to apply mandatory access control rules to containers, restricting their capabilities.

SELinux

这是另一个安全模块,可用于实现有关应用程序如何访问资源的安全策略。Docker 可以配置为使用 SELinux 来获得额外的高度安全性。

This is yet another security module that can be used to implement security policies regarding how applications are allowed to access resources. Docker can be configured to use SELinux to get extra heightened security.

User Namespace Remapping

将容器内的用户 ID 和组 ID 映射到主机上的不同 ID,本质上是通过隔离容器进程和主机进程来提高安全性。

Maps user IDs and group IDs inside a container to different IDs on the host, essentially improving security by isolating container processes from the host’s.

Docker Security Best Practices

虽然 Docker 使创建、分发和部署应用程序变得更加容易,但也有人对容器化环境的安全提出了一些担忧。Docker 安全性的基本方面之一就是选择和管理 Docker 镜像。通过实施有关镜像选择、构建流程和漏洞扫描的最佳实践,可以极大地提高 Docker 部署的安全性。

While Docker makes it much easier to create, distribute, and deploy applications, some security concerns arise with containerized environments. One of the fundamental aspects of Docker security is the selection and management of Docker images. Much can be done to improve the security of Docker deployments by implementing the best practices concerning image selection, build process, and vulnerability scanning.

Choosing the Right Base Image from a Trusted Source and Keeping It Small

首先,在确定需要使用 Docker 镜像后,需要选择一个基础镜像。基础镜像始终需要从任何官方来源(如 Docker Hub)或任何其他信誉良好的存储库获取。官方镜像会定期更新,并且漏洞较少。此外,保持基础镜像的精简将减少其攻击面,并最大限度地减少不必要的软件包和依赖项的包含;因此,它可能没那么容易受到攻击。

First, after establishing the need to use the Docker image, you need to choose a base image. A base image always needs to be taken from any official source, such as Docker Hub, or from any other reputable repository. An official image is periodically updated and less vulnerable. In addition, keeping the base image small will reduce its attack surface and minimize the inclusion of unnecessary packages and dependencies; therefore, it can be less vulnerable.

Use Multi-Stage Builds

多阶段构建是 Docker 中的一项功能,允许在单个 Dockerfile 中使用多个 FROM。在构建更小、更安全的镜像时,此功能最有用。例如,您可以使用一个较大的基础镜像来构建和编译您的应用程序工件,然后将这些工件复制到一个小型的最终镜像中。这减少了最终镜像的大小,并且无需将所有构建工具和依赖项包含在最终镜像中,而这些工具和依赖项往往会最大限度地减少安全漏洞。

Multi-stage builds are a feature in Docker that allow the use of multiple FROMs within a single Dockerfile. This feature is most useful when building smaller, more secure images. For example, you might use a large base image to build and compile your application artifacts and then copy these artifacts into a small final image. This reduces the size of the final image and eliminates the need to include all the build tools and dependencies in the final image, which tends to minimize security vulnerabilities.

Rebuilding Images

定期重新构建 Docker 镜像,以便始终受益于最新的安全补丁和更新。如果您在构建基础镜像或其依赖项后发现其中有任何缺陷,则必须重新构建这些镜像以合并修复。自动构建和部署确保在有安全更新可用时对镜像进行重建和重新上传。

Rebuild your Docker images regularly to always benefit from the most recent security patches and updates. If you discover any flaws within the base images or their dependencies after they have been built, you will have to rebuild those images to incorporate the fixes. Automatic build and deployment ensure the images are reconstructed and re-uploaded in case a security update is available.

Verifying Your Image for Vulnerabilities

在将 Docker 镜像部署到生产环境之前,必须对其进行漏洞扫描。有几种可用工具可以帮助您扫描 Docker 镜像的已知漏洞,包括 Clair、Docker Security Scanning 和其他第三方漏洞扫描服务。这些工具会识别您镜像中的安全问题,并建议如何减轻这些问题,例如更新依赖项或使用不同的基础镜像。

Before deploying Docker images into production, it is imperative to scan them for vulnerabilities. Several available tools can help you scan Docker images for known vulnerabilities, including Clair, Docker Security Scanning, and other third-party vulnerability scanning services. These tools identify the security issues in your images and recommend how to mitigate them, like updating dependencies or using a different base image.

Conclusion

保护 Docker 镜像是安全的容器化环境的关键。围绕选择受信任的基础镜像、确保它们的小尺寸、多阶段构建、频繁镜像重建和漏洞扫描的适当实践将有助于减少安全漏洞的风险,并确保 Docker 部署的完整性。此类实践不仅会增强安全态势,而且对于 Docker 环境的可靠性和性能至关重要。此外,深入了解内核命名空间、CGroup、DCT 等的工作原理有助于获得更精细的控制。

Securing Docker images is crucial to a secure containerized environment. Proper practices around selecting trusted base images, ensuring their small size, multistage builds, frequent image rebuilding, and scanning for vulnerabilities will help incorporate the risk of security breaches and ensure the integrity of Docker deployment. These kinds of practices will not only enhance the security posture but be critical to the reliability and performance of the Docker environment. Also having in-depth knowledge of the working of Kernel namespaces, CGroups, DCTs, etc. helps to gain finer control.

FAQ

Q 1. What are the main security concerns when using Docker?

Docker 与任何其他技术一样,都有其安全问题。这包括容器镜像、Docker 引擎或容器的漏洞;在容器中会泄露敏感数据或端口的错误配置;以过多的权限运行容器;以及针对主机系统通过容器漏洞的攻击。

Docker, just like any other technology, has its security concerns. This includes vulnerabilities of the container image, Docker engine, or container; misconfigurations in the container that expose sensitive data or ports; running containers with excessive privileges; and attacks against host systems through container vulnerabilities.

Q 2. How can I ensure the security of my Docker images?

为基础镜像使用受信任的来源。从受信任的来源构建镜像 - 定期更新它们,以便修补所有漏洞。不要在镜像中包含密码和 API 密钥等敏感信息。使用扫描工具检查镜像的潜在 CVE,并对镜像进行签名以确保其完整性。

Use trusted sources for your base images. Build your images from a trusted source - update them regularly so any vulnerabilities are patched. Do not include sensitive things like passwords and API keys within an image. Use scanning tools to check your image for potential CVEs and sign your images to ensure their integrity.

Q 3. What are some best practices for securely running Docker containers?

根据最小权限原则运行容器:仅允许所需的操作。尽可能避免以 root 身份运行容器。非常仔细地在开放端口级别配置网络访问,并使用防火墙限制流量。监控容器的活动及其日志中的任何可疑行为。

Run the containers according to the least privilege principle: only permit actions for what is required. Avoid running containers as root whenever possible. Configure network access very carefully at the level of opened ports and use firewalls to restrict traffic. Monitor the activity of containers and any suspicious behavior in their logs.

Q 4. Should I worry about Docker containers impacting the security of my host system?

虽然容器创建了隔离,但它们不能免受潜在威胁的侵害。例如,在某些情况下,运行在容器中的恶意代码可以利用 Docker 引擎或主机内核中的某些漏洞来突破容器并进入主机系统。让您的 Docker 安装和主机操作系统保持最新状态并应用最新的安全补丁,以使此风险最小。

While containers create isolation, they are not safe from potential threats. For example, in some cases, a malicious code running in a container could leverage some vulnerability in the Docker engine or the host kernel to break out of the container and into the host system. Keep your installation of Docker and your host operating system up to date with the latest security patches to keep this risk minimal.

Q 5. Are there any specific security tools or practices recommended for Docker?

是的,有相当多的工具和实践可以增强 Docker 安全性。使用镜像扫描工具(如 Clair 或 Trivy)来检测漏洞。您可能希望应用 AppArmor 或 SELinux 等其他工具,以便对容器实施更严格的安全策略 - 定期审查和审核 Docker 配置是否存在潜在错误配置。及时了解 Docker 安全更新和建议,以迅速解决新出现的威胁。

Yes, there are quite several tools and practices that could make Docker security better. Use image scanning tools, such as Clair or Trivy, to detect vulnerabilities. You may want to apply additional tools like AppArmor or SELinux, to enforce a tighter security policy on the containers - review, and audit Docker configurations for potential misconfigurations regularly. Stay updated with Docker security updates and advisories to resolve emerging threats promptly.