Docker Security User Resource Isolation

Docker Security User Resource isolationDocker alphabet 18 hours ago 75℃0 Comment recommend to you

Dcoker Introduction and Practice series articles

Welcome to join QQ Technical Exchange Group: 300139299 Docker for resource isolation of 6 kinds of namespace

namespace	Isolate Content	Kernel version
UTS	Host name and domain name	Linux 2.6.19
Ipc	semaphores, Message Queuing and shared memory	Linux 2.6.19
Pid	Process number	Linux 2.6.24
Network	Network devices, network stacks, ports	Started with Linux 2.6.24 completed on Linux 2.6.29
Mount	File mount	Linux 2.4.19
User	User User groups	Starting with Linux 2.6.23 completed on Linux 3.8

where user namespace is supported starting from docker1.10 and is not enabled by default.

The above content is not the focus of this article, this article mainly introduces the user namespace . User Namespace role

Docker uses namespace for resource isolation, one of which is the user Namespace.user namespace primarily isolates security-related identifiers and attributes, including the UserID, user group Id,root directory, key (key), and special permissions.

By default, the root user of the Docker container is the same user as the root user of the host, although it is possible to restrict the permissions of the root user in the container (capability), but is still essentially the same user as the host root user.

With the user namespace, we can map the normal user on the host to the root user of the container, so that the actual user in the container is normal user rights, which can increase the security level of the container. Experiment One: Run a container without using user namespace for resource isolation

Docker run-it ubuntu:14.04 Top

In addition, open a terminal to view the user of the container process on the host

~$ ps-aux|grep top
root     18724  0.2  0.0  19848  2400 pts/15   ss+  14:16   0:00 Top

As you can see, the user running the top command is root, that is, the root user in the container is the host root user experiment two: Using User namespace for resource isolation configuration implementation to run Docker Deamon process to add parameter--userns-remap=default, such as: Ubuntu is modified/etc/default/docker in the docker_opts, append configuration--userns-remap=default Restart Docker Deamon, such as: Running a container using service Docker restart experiment content in Ubuntu

Docker run-it ubuntu:14.04 Top

In addition, open a terminal to view the user of the container process on the host

~$ ps-aux|grep top
165536   19347  0.1  0.0  19848  2424 pts/15   ss+  14:32   0:00 Top

As you can see, the user who executes the top command on the host is 165536 (UID), not root look at the output of the top command inside the container

   1 root   0   19848   2424   2108 R   0.0  0.0   0:00.07 Top  

Inside the container, it still looks like the root user. That is: With user namespace, we can map the normal user on the host to the root user of the container.
Well, there is a problem. Who this ordinary user is. Two. User namespace default mapped users

In the above experiment, we have used the most simplified configuration of user namespace. That is:--userns-remap=default

In fact, Docker creates a new user and user group called Dockremap, and the root user in the container is mapped to this Dockremap user of the host.

$ cat/etc/passwd ...
dockremap:x:10000:10000:,,,:/home/dockremap:/bin/false
$ cat/etc/subuid ...
dockremap:165536:65536
$ cat/etc/subgid ...
dockremap:165536:65536

three. Custom Mapped users

First create the user and user group on the host, and pass in the following parameters when launching Docker Deamon.

 --userns-remap=<uid>
--userns-remap=<uid>:<gid>
--userns-remap=<username>
--userns-remap=<username>:<groupname>

recommend to you

Dcoker Introduction and Practice series articles

Welcome to join QQ Technology Group: 300139299

Reprint Please specify: Letter Brother blog»docker Security User Resource Isolation