New IT Operations ERA | Docker transport Koriyuki Best practices-Next

For the operating system, host configuration, container mirroring, container operation of the four major aspects of sharing Docker's operations and maintenance experience, this article will focus on the Docker daemon parameters and permissions to further share two. (Read the previous page, click on the right: new IT Operations ERA | Docker transport Koriyuki Best Practices-Previous )

Docker Daemon is a Docker daemon that can be broadly divided into Docker Server, engine, and job three parts. Docker daemon can be thought of as accepting requests for Docker clients through the Docker server module, processing requests in the engine, and then creating the specified job and running according to the request type.

The following is a diagram of the Docker daemon architecture:

Docker Daemon Parameters

From the above figure it is not difficult to see the core of Docker daemon, so its configuration is particularly important, the following will be from the security, performance aspects, below specifically how to configure the Docker daemon parameters:

Restricting network communication between containers: in the same host, if you do not restrict the communication between containers, the container will expose some privacy information, so it is recommended to close, set parameters such as: Docker Daemon--icc=false;

Log level is set to info: In addition to the debug information, you can capture all the information, set parameters such as: Docker daemon--log-level= "info";

Allow Docker daemon to modify Iptables: This automatically avoids the container and external access problems caused by the wrong network configuration, setting parameters such as Docker daemon--iptables=true;

Use Safe mode to access the mirrored warehouse: Docker Daemon supports safe mode (default) and non-secure mode (--insecure-registry) access to the Mirror warehouse, recommended mirror warehouse configuration CA certificate, Docker daemon Configure secure access mode, Using TLS secure transport protocol;

It is recommended to use OVERLAYFS as the storage driver for Docker: Docker supports a variety of storage drivers, and the CentOS default Docker storage driver is devicemapper,ubuntu default Docker storage driver for Aufs, The Docker storage driver how to choose, you can refer to the following image of the comparative analysis:

It is recommended to configure TLS authentication for Docker daemon: it is recommended to specify the listener IP, port and UNIX sockets for Docker daemon, and configure TLS authentication, access via Docker daemon ip+ port, set parameters such as: '--tlsverify ' , '--tlscacert ', '--tlscert ', '--tlskey ';

It is recommended to turn on user space support for Docker daemon: Docker daemon supports user namespace for the Linux kernel, provides additional security for Docker hosts, and containers use root-privileged users. The user also has the root authority of their host, the external can be used to control the host console, such as: Docker daemon--userns-remap=default;

It is recommended to configure the default cgroup for Docker daemon: A program may take up all of the resources on the host, cause other programs not to function properly, or cause the system to be suspended from maintenance, this time with cgroups to control the process of resource consumption, Set parameters such as: Docker Daemon--cgroup-parent=/foobar;

Recommended remote log Collection system in Docker configuration set: Docker supports a wide variety of log drivers, and it is very necessary to configure the remote logging system in a centralized setting to store Docker logs, such as: Docker Run--log-driver=syslog-- Log-opt SYSLOG-ADDRESS=TCP://IP;

It is recommended to use the Docker Registry V2 version: The V2 version is much more powerful than V1 in terms of performance and security, such as mirroring signatures on security, and setting parameters such as: Docker Daemon--disable-legacy-registry;

Docker Daemon Permissions

The properties of Docker daemon related files and directories and their permissions are related to the security of the entire Docker runtime, and from an operational perspective, it is particularly important to properly plan the attributes and their permissions, as detailed below about how to configure Docker daemon permissions.

1. Set Docker daemon properties and permissions for some related profiles

2. Set Docker daemon properties and permissions for some related directories

/etc/docker directory is to save the container authentication and key information, set the directory's properties of Root:root, the permission is 755;

The/etc/docker/certs.d/directory holds the registry certificate-related files, the settings directory has a property of Root:root, and the permissions are 444.

This article source: http://www.youruncloud.com/blog/125.html