docker安全

"""
为什么资源的隔离和限制在云时代更加重要?在默认情况下,一个操作系统里所有运行的进程共享CPU和内存资源,如果程序设计不当,最极端的情况,某进程出现死循环可能会耗尽CPU资源,或者由于内存泄漏消耗掉大部分系统资源,这在企业级产品场景下是不可接受的,所以进程的资源隔离技术是非常必要的

Linux操作系统本身从操作系统层面就支持虚拟化技术,叫做Linux container,也就是大家到处能看到的LXC的全称

LXC的三大特色:cgroup,namespace和unionFS


Cgroup
Cgroup是control group,又称为控制组,它主要是做资源控制。原理是将一组进程放在放在一个控制组里,通过给这个控制组分配指定的可用资源,达到控制这一组进程可用资源的目的。

Namespace
Namespace又称为命名空间,它主要做访问隔离。其原理是针对一类资源进行抽象,并将其封装在一起提供给一个容器使用,对于这类资源,因为每个容器都有自己的抽象,而他们彼此之间是不可见的,所以就可以做到访问隔离


"""

理解docker安全
docker容器的安全性,很大程度上依赖于linux系统自身,评估Docker的安全性时,主要考虑以下几个方面
	Linux内核的命令空间(namespace)机制提供的容器隔离安全
	Linux控制组机制对容器资源的控制能力安全
	Linux内核的能力机制所带来的操作权限安全
	Docker程序(特别是服务端)本身的抗攻击性
	其他安全增强机制对容器安全性的影响

命名空间隔离安全
	当docker run启动一个容器时,Docker将在后台为容器创建一个独立的命名空间,命名空间提供了最基础也最直接的隔离
	与虚拟机方式相比,通过Linux namespace来实现的隔离不是那么彻底
	容器只是运行在宿主机上的一种特殊的进程,那么多个容器之间使用的还是同一个宿主机的操作系统内核
	在Linux内核中,有很多资源和对象是不能被Namespace化的 比如 时间
# 不能停掉容器 与资源会被释放掉
[root@docker docker]# docker run -it --name vm1 ubuntu
root@06a3c366c16b:/# 
root@06a3c366c16b:/# [root@docker docker]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
06a3c366c16b        ubuntu              "/bin/bash"         14 seconds ago      Up 13 seconds                           vm1
[root@docker docker]# docker inspect vm1 | grep Pid
            "Pid": 1504,
            "PidMode": "",
            "PidsLimit": 0,
[root@docker docker]# ps aux |grep 1504
root      1504  0.0  0.1  18164  1960 pts/0    Ss+  10:43   0:00 /bin/bash
root      1589  0.0  0.1 112704  1024 pts/0    R+   10:44   0:00 grep --color=auto 1504
[root@docker docker]# cd /proc/1504
[root@docker 1504]# ls
attr             cwd       map_files   oom_adj        schedstat  task
autogroup        environ   maps        oom_score      sessionid  timers
auxv             exe       mem         oom_score_adj  setgroups  uid_map
cgroup           fd        mountinfo   pagemap        smaps      wchan
clear_refs       fdinfo    mounts      patch_state    stack
cmdline          gid_map   mountstats  personality    stat
comm             io        net         projid_map     statm
coredump_filter  limits    ns          root           status
cpuset           loginuid  numa_maps   sched          syscall
[root@docker 1504]# cd ns/
# namespace
"""
namespace 主要用作环境的隔离,主要有以下namespace:
UTS: 主机名与域名
IPC: 信号量、消息队列和共享内存
PID: 进程编号
Network:网络设备、网络栈、端口等等
Mount: 挂载点
User: 用户和用户组
"""
[root@docker ns]# ls
ipc  mnt  net  pid  user  uts

控制组资源控制安全
	当docker run启动一个容器时,Docker将在后台为容器创建一个独立的控制组策略集合
	Linux Cgroup提供了很多有用的特性,确保各容器可以公平地分享主机的内存,cpu,磁盘io等资源
	确保当发生在容器内的资源压力不会影响到本地主机系统和其他容器,它在防止拒绝服务DDos方面必不可少
[root@docker ns]# mount -t cgroup
cgroup on /sys/fs/cgroup/systemd type cgroup (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct,cpu)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/freezer type cgroup (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_prio,net_cls)
cgroup on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
[root@docker ns]# cd /sys/fs/cgroup/
[root@docker cgroup]# ls
blkio    cpu,cpuacct  freezer  net_cls           perf_event
cpu      cpuset       hugetlb  net_cls,net_prio  pids
cpuacct  devices      memory   net_prio          systemd
[root@docker cgroup]# cd cpu
[root@docker cpu]# ls
cgroup.clone_children  cpuacct.usage         cpu.rt_runtime_us  release_agent
cgroup.event_control   cpuacct.usage_percpu  cpu.shares         system.slice
cgroup.procs           cpu.cfs_period_us     cpu.stat           tasks
cgroup.sane_behavior   cpu.cfs_quota_us      docker             user.slice
cpuacct.stat           cpu.rt_period_us      notify_on_release
[root@docker cpu]# cd docker/
[root@docker docker]# ls
06a3c366c16be682286ca31da43026615db1b053d394fb0f8b08dc9c9126ae47
cgroup.clone_children
cgroup.event_control
cgroup.procs
cpuacct.stat
cpuacct.usage
cpuacct.usage_percpu
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.rt_period_us
cpu.rt_runtime_us
cpu.shares
cpu.stat
notify_on_release
tasks

内核能力机制
	能力机制(Capability)是linux内核一个强大的特性,可以提供细粒度的访问权限控制
	大部分情况下,容器并不需要“真正的”root权限,容器只需要少数的能力即可
	默认情况下,docker采用“白名单”机制,禁用“必需功能”之外的其他权限
[root@docker docker]# docker container attach vm1
root@06a3c366c16b:/# 
root@06a3c366c16b:/# 
root@06a3c366c16b:/# id   #你所看到的root并不具备真正的root身份权限
uid=0(root) gid=0(root) groups=0(root)
root@06a3c366c16b:/# ip addr
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5:  mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
root@06a3c366c16b:/# ip link set down eth0 #真正的root是具备这样的权限的 所以在容器内 你不是真正的root
RTNETLINK answers: Operation not permitted



Docker服务端防护
	使用Docker容器的核心是Docker服务端,确保只有可信的用户才能访问Docker服务
	将容器的root用户映射到本地主机上的非root用户,减轻容器和主机之间因权限提升而引起的安全问题
	允许Docker服务端在非root权限下运行,利用安全可靠的子进程来代理执行需要特权权限的操作,这些子进程只允许在特定的范围内进行操作

其他安全特性
	在内核中启用GRSEC和PAX 这将增加更多的编译和运行时的安全检查,并且通过地址随机化机制来避免恶意探测等(启用该特性不需要Docker进行任何配置)
	使用一些有增强安全特性的容器模板
	用户可以自定义更加严格的访问控制机制来定制安全策略
	在文件系统挂载到容器内部时,可以通过配置只读模式来避免容器内的应用通过文件系统外部环境,特别是一些系统运行状态相关的目录


容器资源控制
linux cgroup??
# 其他资源控制 cat /etc/security/limits.conf
Linux cgroup给用户暴露出来的操作接口是文件系统
	它以文件和目录的方式组织在操作系统的/sys/fs/cgroup路径下
	执行此命令查看:mount -t cgroup
	在/sys/fs/cgroup下面有诸多如cpuset cpu memory这样的子目录,也叫子系统
	在每个子系统下面,为每个容器创建一个控制组(即创建一个新的目录)
	控制组下面的资源文件里填什么值,就靠用户执行docker run时所加的参数

##资源控制的方式
#docker与linux内核无缝连接
###cpu限制
[root@docker cgroup]# ls
blkio(控制磁盘IO的)    cpu,cpuacct  freezer  net_cls           perf_event
cpu      cpuset       hugetlb  net_cls,net_prio  pids
cpuacct  devices      memory   net_prio          systemd
[root@docker cgroup]# pwd
/sys/fs/cgroup
[root@docker cpu]# ls
cgroup.clone_children  cpuacct.usage         cpu.rt_runtime_us  release_agent
cgroup.event_control   cpuacct.usage_percpu  cpu.shares         system.slice
cgroup.procs           cpu.cfs_period_us     cpu.stat           tasks
cgroup.sane_behavior   cpu.cfs_quota_us      docker             user.slice
cpuacct.stat           cpu.rt_period_us      notify_on_release
[root@docker cpu]# mkdir x1  #是上级目录的子目录(带有复制的资源)
[root@docker cpu]# cd x1/
[root@docker x1]# ls
cgroup.clone_children  cpuacct.usage_percpu  cpu.shares
cgroup.event_control   cpu.cfs_period_us     cpu.stat
cgroup.procs           cpu.cfs_quota_us      notify_on_release
cpuacct.stat           cpu.rt_period_us      tasks
cpuacct.usage          cpu.rt_runtime_us

# 如不做修改 与父级目录内容是一样的
# 除了在容器中使用还可以控制我们操作系统本身的一些东西
[root@docker x1]# cat cpu.cfs_period_us #使用cpu的时间100毫秒
100000(微秒)
[root@docker x1]# cat cpu.cfs_quota_us #不做限制 给100就用100
-1
# 以上两个文件需要配合使用
[root@docker x1]# echo 20000 > cpu.cfs_quota_us #100毫秒只用20% 注意:只能用非交互的echo方式改写
[root@docker x1]# cat cpu.cfs_quota_us 
20000

# 测试 top命令观察发现 与我们的限制之间并没有什么联系
[root@docker x1]# dd if=/dev/zero of=/dev/null & #此命令不占内存 只耗费cpu
[1] 12572
 
12572 root      20   0  107992    608    516 R 99.9  0.1   0:13.84 dd       

#通过TOP命令查看 并没有发生什么变化

# 怎么建立联系
[root@docker x1]# ls
cgroup.clone_children  cpuacct.usage_percpu  cpu.shares
cgroup.event_control   cpu.cfs_period_us     cpu.stat
cgroup.procs           cpu.cfs_quota_us      notify_on_release
cpuacct.stat           cpu.rt_period_us      tasks
cpuacct.usage          cpu.rt_runtime_us
[root@docker x1]# echo 12572 > tasks 
12572 root      20   0  107992    608    516 R 20.0  0.1   1:40.57 dd  

# 看到结果开始生效

# 对docker容器进程进行控制
"""废话
[root@docker docker]# ls
3f5a12193cb1e6b3782a30a647edce9118a4e38e86edf305a0cbb7c78df0e494 #开启的容器
cgroup.clone_children
cgroup.event_control
cgroup.procs
cpuacct.stat
cpuacct.usage
cpuacct.usage_percpu
cpu.cfs_period_us
cpu.cfs_quota_us
cpu.rt_period_us
cpu.rt_runtime_us
cpu.shares
cpu.stat
notify_on_release
tasks
[root@docker docker]# pwd
/sys/fs/cgroup/cpu/docker

[root@docker docker]# cd 3f5a12193cb1e6b3782a30a647edce9118a4e38e86edf305a0cbb7c78df0e494 #对资源的复制
[root@docker 3f5a12193cb1e6b3782a30a647edce9118a4e38e86edf305a0cbb7c78df0e494]# ls
cgroup.clone_children  cpuacct.usage_percpu  cpu.shares
cgroup.event_control   cpu.cfs_period_us     cpu.stat
cgroup.procs           cpu.cfs_quota_us      notify_on_release
cpuacct.stat           cpu.rt_period_us      tasks
cpuacct.usage          cpu.rt_runtime_us
[root@docker 3f5a12193cb1e6b3782a30a647edce9118a4e38e86edf305a0cbb7c78df0e494]# 
[root@docker 3f5a12193cb1e6b3782a30a647edce9118a4e38e86edf305a0cbb7c78df0e494]# 
"""
[root@docker ~]# docker run --help|grep cpu
      --cpu-period int                 Limit CPU CFS (Completely Fair
      --cpu-quota int                  Limit CPU CFS (Completely Fair
      --cpu-rt-period int              Limit CPU real-time period in
      --cpu-rt-runtime int             Limit CPU real-time runtime in
  -c, --cpu-shares int                 CPU shares (relative weight)
      --cpus decimal                   Number of CPUs
      --cpuset-cpus string             CPUs in which to allow execution
      --cpuset-mems string             MEMs in which to allow execution

[root@docker ~]# docker run -it --name vm2 --cpu-period 100000 --cpu-quota 20000 ubuntu
root@d3b1336b2adb:/# 

[root@docker docker]# cd d3b1336b2adb72c766227795eaa03dde575143abcbfda939c9b79a19b8839622/
[root@docker d3b1336b2adb72c766227795eaa03dde575143abcbfda939c9b79a19b8839622]# ls
cgroup.clone_children  cpuacct.usage_percpu  cpu.shares
cgroup.event_control   cpu.cfs_period_us     cpu.stat
cgroup.procs           cpu.cfs_quota_us      notify_on_release
cpuacct.stat           cpu.rt_period_us      tasks
cpuacct.usage          cpu.rt_runtime_us
[root@docker d3b1336b2adb72c766227795eaa03dde575143abcbfda939c9b79a19b8839622]# cat cpu.rt_period_us 
1000000
[root@docker d3b1336b2adb72c766227795eaa03dde575143abcbfda939c9b79a19b8839622]# cat cpu.cfs_quota_us 
20000
[root@docker d3b1336b2adb72c766227795eaa03dde575143abcbfda939c9b79a19b8839622]# 
# 测试是否生效
[root@docker ~]# docker run -it --name vm2 --cpu-period 100000 --cpu-quota 20000 ubuntu
# 使其还是占用的是物理cpu的资源
root@d3b1336b2adb:/# dd if=/dev/zero of=/dev/null &

12877 root      20   0    4364    360    280 R 20.0  0.0   0:03.65 dd

# 在物理机top查看 因为容器其实还是占用真实物理机的cpu

##内存限制
容器可用内存包括两个部分:物理内存(优先使用)和swap交换分区[root@docker ~]# cd /sys/fs/cgroup/
[root@docker cgroup]# 
[root@docker cgroup]# ls
blkio    cpu,cpuacct  freezer  net_cls           perf_event
cpu      cpuset       hugetlb  net_cls,net_prio  pids
cpuacct  devices      memory   net_prio          systemd
[root@docker cgroup]# cd memory/
[root@docker memory]# pwd
/sys/fs/cgroup/memory
[root@docker memory]# ls
cgroup.clone_children               memory.memsw.failcnt
cgroup.event_control                memory.memsw.limit_in_bytes
cgroup.procs                        memory.memsw.max_usage_in_bytes
cgroup.sane_behavior                memory.memsw.usage_in_bytes
docker                              memory.move_charge_at_immigrate
memory.failcnt                      memory.numa_stat
memory.force_empty                  memory.oom_control
memory.kmem.failcnt                 memory.pressure_level
memory.kmem.limit_in_bytes          memory.soft_limit_in_bytes
memory.kmem.max_usage_in_bytes      memory.stat
memory.kmem.slabinfo                memory.swappiness
memory.kmem.tcp.failcnt             memory.usage_in_bytes
memory.kmem.tcp.limit_in_bytes      memory.use_hierarchy
memory.kmem.tcp.max_usage_in_bytes  notify_on_release
memory.kmem.tcp.usage_in_bytes      release_agent
memory.kmem.usage_in_bytes          system.slice
memory.limit_in_bytes               tasks
memory.max_usage_in_bytes           user.slice

[root@docker memory]# mkdir x2
[root@docker memory]# cd x2/
[root@docker x2]# ls  #内容从父级目录直接复制过来
cgroup.clone_children               memory.memsw.failcnt
cgroup.event_control                memory.memsw.limit_in_bytes
cgroup.procs                        memory.memsw.max_usage_in_bytes
memory.failcnt                      memory.memsw.usage_in_bytes
memory.force_empty                  memory.move_charge_at_immigrate
memory.kmem.failcnt                 memory.numa_stat
memory.kmem.limit_in_bytes          memory.oom_control
memory.kmem.max_usage_in_bytes      memory.pressure_level
memory.kmem.slabinfo                memory.soft_limit_in_bytes
memory.kmem.tcp.failcnt             memory.stat
memory.kmem.tcp.limit_in_bytes      memory.swappiness
memory.kmem.tcp.max_usage_in_bytes  memory.usage_in_bytes
memory.kmem.tcp.usage_in_bytes      memory.use_hierarchy
memory.kmem.usage_in_bytes          notify_on_release
memory.limit_in_bytes               tasks
memory.max_usage_in_bytes

[root@docker x2]# cat memory.limit_in_bytes #默认没有控制 有多少用多少
9223372036854771712 #字节

# 控制:只能使用256M
"""
字节的转换
[root@foundation0 ~]# bc
bc 1.06.95
Copyright 1991-1994, 1997, 1998, 2000, 2004, 2006 Free Software Foundation, Inc.
This is free software with ABSOLUTELY NO WARRANTY.
For details type `warranty'. 
256 * 1024 * 1024
268435456

"""

[root@docker x2]# cat memory.limit_in_bytes
9223372036854771712
[root@docker x2]# echo 268435456 > memory.limit_in_bytes
[root@docker x2]# cat memory.limit_in_bytes 
268435456

[root@docker x2]# df
Filesystem            1K-blocks    Used Available Use% Mounted on
/dev/mapper/rhel-root  17811456 5025844  12785612  29% /
devtmpfs                 495544       0    495544   0% /dev
tmpfs                    507780       0    507780   0% /dev/shm
tmpfs                    507780   13228    494552   3% /run
tmpfs                    507780       0    507780   0% /sys/fs/cgroup
/dev/sda1               1038336  132704    905632  13% /boot
tmpfs                    101560       0    101560   0% /run/user/0
[root@docker x2]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         138         176          12         676         652
Swap:          2047           0        2047
[root@docker x2]# cd /dev/shm #注意 一定要在这个目录下 才会占用你的内存
[root@docker shm]# dd if=/dev/zero of=bigfile bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.0328056 s, 3.2 GB/s
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         138          77         112         776         553
Swap:          2047           0        2047
[root@docker shm]# dd if=/dev/zero of=bigfile bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 0.101575 s, 2.1 GB/s
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         135          72         210         783         458
Swap:          2047           2        2045
[root@docker shm]# dd if=/dev/zero of=bigfile bs=1M count=300
300+0 records in
300+0 records out
314572800 bytes (315 MB) copied, 0.135642 s, 2.3 GB/s

# 我们看到并没有生效???
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         134          83         309         773         363
Swap:          2047           3        2044
[root@docker shm]# id root
uid=0(root) gid=0(root) groups=0(root)
[root@docker shm]# cd /sys/fs/cgroup/memory/
[root@docker memory]# cd x2/
[root@docker x2]# cd -
/sys/fs/cgroup/memory

# 怎么发生联系
# 因为这个命令不是持续运行的 就不能往task里面去写
[root@docker memory]# cd /dev/shm
[root@docker shm]# cgexec -g memory:x2 dd if=/dev/zero of=bigfile bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.0366051 s, 2.9 GB/s
[root@docker shm]# cgexec -g memory:x2 dd if=/dev/zero of=bigfile bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 0.0755738 s, 2.8 GB/s

# 我什么还是可以呢??超过了我们的256M的限制
[root@docker shm]# cgexec -g memory:x2 dd if=/dev/zero of=bigfile bs=1M count=300
300+0 records in
300+0 records out
314572800 bytes (315 MB) copied, 0.352022 s, 894 MB/s
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         191         126         209         674         405
Swap:          2047         103        1944
[root@docker shm]# cgexec -g memory:x2 dd if=/dev/zero of=bigfile bs=1M count=400
400+0 records in
400+0 records out
419430400 bytes (419 MB) copied, 0.33249 s, 1.3 GB/s
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         134         126         266         730         405
Swap:          2047         146        1901
[root@docker shm]# cgexec -g memory:x2 dd if=/dev/zero of=bigfile bs=1M count=450
450+0 records in
450+0 records out
471859200 bytes (472 MB) copied, 0.411024 s, 1.1 GB/s
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         134         125         267         731         405
# 在物理内存不够的情况下 使用了swap分区

[root@docker x2]# cat memory.limit_in_bytes 
268435456
[root@docker x2]# echo 268435456 >memory.memsw.limit_in_bytes 
-bash: echo: write error: Device or resource busy
[root@docker x2]# cd -
/sys/fs/cgroup/memory
[root@docker memory]# ls
cgroup.clone_children               memory.memsw.limit_in_bytes
cgroup.event_control                memory.memsw.max_usage_in_bytes
cgroup.procs                        memory.memsw.usage_in_bytes
cgroup.sane_behavior                memory.move_charge_at_immigrate
docker                              memory.numa_stat
memory.failcnt                      memory.oom_control
memory.force_empty                  memory.pressure_level
memory.kmem.failcnt                 memory.soft_limit_in_bytes
memory.kmem.limit_in_bytes          memory.stat
memory.kmem.max_usage_in_bytes      memory.swappiness
memory.kmem.slabinfo                memory.usage_in_bytes
memory.kmem.tcp.failcnt             memory.use_hierarchy
memory.kmem.tcp.limit_in_bytes      notify_on_release
memory.kmem.tcp.max_usage_in_bytes  release_agent
memory.kmem.tcp.usage_in_bytes      system.slice
memory.kmem.usage_in_bytes          tasks
memory.limit_in_bytes               user.slice
memory.max_usage_in_bytes           x2
memory.memsw.failcnt
[root@docker memory]# cd /dev/shm/
[root@docker shm]# ls
bigfile
[root@docker shm]# rm -rf bigfile #报错的解决
[root@docker shm]# cd -
/sys/fs/cgroup/memory
[root@docker memory]# ls
cgroup.clone_children               memory.memsw.limit_in_bytes
cgroup.event_control                memory.memsw.max_usage_in_bytes
cgroup.procs                        memory.memsw.usage_in_bytes
cgroup.sane_behavior                memory.move_charge_at_immigrate
docker                              memory.numa_stat
memory.failcnt                      memory.oom_control
memory.force_empty                  memory.pressure_level
memory.kmem.failcnt                 memory.soft_limit_in_bytes
memory.kmem.limit_in_bytes          memory.stat
memory.kmem.max_usage_in_bytes      memory.swappiness
memory.kmem.slabinfo                memory.usage_in_bytes
memory.kmem.tcp.failcnt             memory.use_hierarchy
memory.kmem.tcp.limit_in_bytes      notify_on_release
memory.kmem.tcp.max_usage_in_bytes  release_agent
memory.kmem.tcp.usage_in_bytes      system.slice
memory.kmem.usage_in_bytes          tasks
memory.limit_in_bytes               user.slice
memory.max_usage_in_bytes           x2
memory.memsw.failcnt
[root@docker memory]# cd x2/
[root@docker x2]# echo 268435456 >memory.memsw.limit_in_bytes

# 这两个文件的意义:物理内存和swap加起来一共可用256M

以上设置表明:物理内存和swap分区共同只能使用256M
####此时实验成功
[root@docker shm]# cgexec -g memory:x2 dd if=/dev/zero of=bigfile bs=1M count=300
Killed
[root@docker shm]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         133         126         267         731         405
Swap:          2047           0        2047


docker run -it --memory 256M --memory-swap=256M ubuntu
#如果在启动容器时只指定 -m 而不指定 --memory-swap,那么--memory-swap 默认为-m的两倍
'''
block io #对磁盘的读写限制
# 每s读/写的数据量
blkio.throttle.read_bps_device
blkio.throttle.write_bps_device

# 每s读/写的操作次数
blkio.throttle.write_iops_device
blkio.throttle.write_bps_device


[root@docker blkio]# docker run --help |grep device
      --blkio-weight-device list       Block IO weight (relative device
      --device list                    Add a host device to the container
      --device-cgroup-rule list        Add a rule to the cgroup allowed
                                       devices list
      --device-read-bps list           Limit read rate (bytes per second)
                                       from a device (default [])
      --device-read-iops list          Limit read rate (IO per second)
                                       from a device (default [])
      --device-write-bps list          Limit write rate (bytes per
                                       second) to a device (default [])
      --device-write-iops list         Limit write rate (IO per second)
                                       to a device (default [])

[root@docker blkio]# ll /dev/vda 
brw-rw---- 1 root disk 252, 0 Oct 24 15:41 /dev/vda


[root@docker blkio]# ll /dev/vda 
brw-rw---- 1 root disk 252, 0(设备号) Oct 24 15:41 /dev/vda
[root@docker blkio]# echo "252:0 1048576" > blkio.throttle.write_bps_device
[root@docker blkio]# cat blkio.throttle.write_bps_device
252:0 1048576 ##1Mbps 1024* 1024

# 测试:好像没有生效
# 注意:当前block io限制只对direct io 有效(不适用文件系统缓存)
[root@docker ~]# cgexec -g blkio:x3 dd if=/dev/zero of=testfile bs=1M count=10
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 0.00381529 s, 2.7 GB/s

[root@docker blkio]# ll /dev/vda
brw-rw---- 1 root disk 252, 0 Oct 24 15:48 /dev/vda
[root@docker blkio]# echo "252:0 1048576" > blkio.throttle.write_bps_device
[root@docker blkio]# cgexec -g blkio:x3 dd if=/dev/zero of=/mnt/westosfile bs=1M count=10 oflag=direct
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 10.0025 s, 1.0 MB/s #控制非常精准


[root@docker blkio]# docker run -it --name vm2 --device-write-bps /dev/sda:1MB ubuntu
root@b9e61aad4a99:/# dd if=/dev/zero of=westos bs=1M count=10 oflag=direct #oflag=direct将跳过内存缓存
"""
direct 模式就是把写入请求直接封装成io 指令发到磁盘
非direct 模式,就把数据写入系统缓存,然后就认为io 成功,并由操作系统决定缓存中的数据什么时候被写入磁盘
"""
10+0 records in
10+0 records out
10485760 bytes (10 MB) copied, 10.0021 s, 1.0 MB/s

[root@docker ~]# cd /sys/fs/cgroup/
[root@docker cgroup]# ls
blkio    cpu,cpuacct  freezer  net_cls           perf_event
cpu      cpuset       hugetlb  net_cls,net_prio  pids
cpuacct  devices      memory   net_prio          systemd
[root@docker cgroup]# cd blkio/
[root@docker blkio]# ls
blkio.io_merged                   blkio.throttle.read_bps_device
blkio.io_merged_recursive         blkio.throttle.read_iops_device
blkio.io_queued                   blkio.throttle.write_bps_device
blkio.io_queued_recursive         blkio.throttle.write_iops_device
blkio.io_service_bytes            blkio.time
blkio.io_service_bytes_recursive  blkio.time_recursive
blkio.io_serviced                 blkio.weight
blkio.io_serviced_recursive       blkio.weight_device
blkio.io_service_time             cgroup.clone_children
blkio.io_service_time_recursive   cgroup.event_control
blkio.io_wait_time                cgroup.procs
blkio.io_wait_time_recursive      cgroup.sane_behavior
blkio.leaf_weight                 docker
blkio.leaf_weight_device          notify_on_release
blkio.reset_stats                 release_agent
blkio.sectors                     system.slice
blkio.sectors_recursive           tasks
blkio.throttle.io_service_bytes   user.slice
blkio.throttle.io_serviced        x3
[root@docker blkio]# cd docker/
[root@docker docker]# ls
b9e61aad4a99aedcb42c9e827c82909a2ff6efac705055b6d5fbedc990eb9e07
blkio.io_merged
blkio.io_merged_recursive
blkio.io_queued
blkio.io_queued_recursive
blkio.io_service_bytes
blkio.io_service_bytes_recursive
blkio.io_serviced
blkio.io_serviced_recursive
blkio.io_service_time
blkio.io_service_time_recursive
blkio.io_wait_time
blkio.io_wait_time_recursive
blkio.leaf_weight
blkio.leaf_weight_device
blkio.reset_stats
blkio.sectors
blkio.sectors_recursive
blkio.throttle.io_service_bytes
blkio.throttle.io_serviced
blkio.throttle.read_bps_device
blkio.throttle.read_iops_device
blkio.throttle.write_bps_device
blkio.throttle.write_iops_device
blkio.time
blkio.time_recursive
blkio.weight
blkio.weight_device
cgroup.clone_children
cgroup.event_control
cgroup.procs
notify_on_release
tasks
[root@docker docker]# cd b9e61aad4a99aedcb42c9e827c82909a2ff6efac705055b6d5fbedc990eb9e07
[root@docker b9e61aad4a99aedcb42c9e827c82909a2ff6efac705055b6d5fbedc990eb9e07]# ls
blkio.io_merged                   blkio.sectors_recursive
blkio.io_merged_recursive         blkio.throttle.io_service_bytes
blkio.io_queued                   blkio.throttle.io_serviced
blkio.io_queued_recursive         blkio.throttle.read_bps_device
blkio.io_service_bytes            blkio.throttle.read_iops_device
blkio.io_service_bytes_recursive  blkio.throttle.write_bps_device
blkio.io_serviced                 blkio.throttle.write_iops_device
blkio.io_serviced_recursive       blkio.time
blkio.io_service_time             blkio.time_recursive
blkio.io_service_time_recursive   blkio.weight
blkio.io_wait_time                blkio.weight_device
blkio.io_wait_time_recursive      cgroup.clone_children
blkio.leaf_weight                 cgroup.event_control
blkio.leaf_weight_device          cgroup.procs
blkio.reset_stats                 notify_on_release
blkio.sectors                     tasks
[root@docker b9e61aad4a99aedcb42c9e827c82909a2ff6efac705055b6d5fbedc990eb9e07]# cat blkio.throttle.write_bps_device
8:0 1048576
[root@docker b9e61aad4a99aedcb42c9e827c82909a2ff6efac705055b6d5fbedc990eb9e07]#

"""
[root@docker ~]# ll /dev/sda
brw-rw---- 1 root disk 8, 0 Oct 24 15:48 /dev/sda

"""
限制用户
[root@docker shm]# cat /etc/cgrules.conf 
# /etc/cgrules.conf
#The format of this file is described in cgrules.conf(5)
#manual page.
#
# Example:
#			
#@student	cpu,memory	usergroup/student/
#peter		cpu		test1/
#%		memory		test2/
# End of file
# 这个用户所占用的内存
dd              memory           x2/
[root@docker ~]# systemctl start cgred
[root@docker ~]# systemctl status cgred
● cgred.service - CGroups Rules Engine Daemon
   Loaded: loaded (/usr/lib/systemd/system/cgred.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-10-24 16:17:27 CST; 5s ago
  Process: 13737 ExecStart=/usr/sbin/cgrulesengd $OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 13738 (cgrulesengd)
    Tasks: 1
   Memory: 3.1M
   CGroup: /system.slice/cgred.service
           └─13738 /usr/sbin/cgrulesengd -s -g cgred

Oct 24 16:17:27 docker systemd[1]: Starting CGroups Rules Engine Daemon...
Oct 24 16:17:27 docker systemd[1]: Started CGroups Rules Engine Daemon.
[root@docker ~]# su - dd
[dd@docker ~]$ id dd
uid=1000(dd) gid=1000(dd) groups=1000(dd)
[dd@docker ~]$ cd /dev/shm/
[dd@docker shm]$ ls
[dd@docker shm]$ dd if=/dev/zero of=dd bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.0361387 s, 2.9 GB/s
[dd@docker shm]$ dd if=/dev/zero of=dd bs=1M count=200
200+0 records in
200+0 records out
209715200 bytes (210 MB) copied, 0.0688063 s, 3.0 GB/s
[dd@docker shm]$ dd if=/dev/zero of=dd bs=1M count=300
Killed

##隔离并不彻底
[root@docker x2]# docker run -it --memory-swap 256M --memory 256M ubuntu
root@b6b9af37fc2f:/# free -m
             total       used       free     shared    buffers     cached
Mem:           991        871        119        266          6        614
-/+ buffers/cache:        250        740
Swap:         2047          1       2046
root@b6b9af37fc2f:/# exit
exit
[root@docker x2]# free -m
              total        used        free      shared  buff/cache   available
Mem:            991         140         143         266         707         400
Swap:          2047           1        2046

你可能感兴趣的:(docker安全)