Docker安全

目录

一. cgroup

2. cpu优先级

3. 内存资源限制

4. 磁盘io限制

二. lxcfs隔离

三. 容器特权

---

一. cgroup

1. cpu资源限制

docker run -it --rm --cpu-period 100000 --cpu-quota 20000 ubuntu
root@433a1612a171:/# dd if=/dev/zero of=/dev/null &

2. cpu优先级

docker run -it --rm  ubuntu
root@0280fc49f2d0:/# dd if=/dev/zero of=/dev/null &
docker run -it --rm --cpu-shares 100 ubuntu
root@b75b4d5066b8:/# dd if=/dev/zero of=/dev/null &
/sys/devices/system/cpu/cpu1
echo 0 > online

测试时只保留一个cpu核心可用，只有争抢cpu资源时优先级才会生效

3. 内存资源限制

docker run -d --name demo --memory 200M --memory-swap=200M nginx
/sys/fs/cgroup/memory
mkdir x1
cd x1/
echo 209715200 > memory.limit_in_bytes
yum install -y libcgroup-tools.x86_64
cd /dev/shm/
cgexec -g memory:x1 dd if=/dev/zero of=bigfile bs=1M count=300
free -m

cd /sys/fs/cgroup/memory/x1/
echo 209715200 > memory.memsw.limit_in_bytes
cd /dev/shm
cgexec -g memory:x1 dd if=/dev/zero of=bigfile bs=1M count=300

控制用户内存

vim /etc/cgrules.conf
yyl     memory  x1/
systemctl  start cgred.service
su - yyl
cd /dev/shm/
dd if=/dev/zero of=bigfile bs=1M count=200

4. 磁盘io限制

docker run -it --rm --device-write-bps /dev/sda:30MB ubuntu
root@3226b0fc6231:/# dd if=/dev/zero of=bigfile bs=1M count=100 oflag=direct

二. lxcfs隔离

yum install lxcfs-2.0.5-3.el7.centos.x86_64.rpm
lxcfs /var/lib/lxcfs &
docker run  -it -m 256m \
>       -v /var/lib/lxcfs/proc/cpuinfo:/proc/cpuinfo:rw \
>       -v /var/lib/lxcfs/proc/diskstats:/proc/diskstats:rw \
>       -v /var/lib/lxcfs/proc/meminfo:/proc/meminfo:rw \
>       -v /var/lib/lxcfs/proc/stat:/proc/stat:rw \
>       -v /var/lib/lxcfs/proc/swaps:/proc/swaps:rw \
>       -v /var/lib/lxcfs/proc/uptime:/proc/uptime:rw \
>       ubuntu
free -m

三. 容器特权

默认容器内的用户是受限的

docker run -it --rm busybox

开启容器特权

docker run -it --rm --privileged busybox

设置容器白名单

docker run -it --rm --cap-add=NET_ADMIN busybox