docker - Docker安全检查

Question

我最近在docker服务器上运行了安全检查，并在此脚本的输出中发现了一些警告。

git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh

第1、2和4节与docker守护程序有关，第5节与容器运行时有关。
我想我可以忽略大多数这些行(但是我真的应该对其中的任何一条采取行动吗？)

[WARN] 1.2.1 - Ensure a separate partition for containers has been created
[WARN] 1.2.3  - Ensure auditing is configured for the Docker daemon

[WARN] 2.1  - Ensure network traffic is restricted between containers on the default bridge
[WARN] 2.8  - Enable user namespace support
[WARN] 2.11  - Ensure that authorization for Docker client commands is enabled
[WARN] 2.12  - Ensure centralized and remote logging is configured
[WARN] 2.13  - Ensure live restore is Enabled
[WARN] 2.14  - Ensure Userland Proxy is Disabled
[WARN] 2.17  - Ensure containers are restricted from acquiring new privileges

[WARN] 4.1  - Ensure a user for the container has been created
[WARN]      * Running as root: vigorous_galileo
[WARN] 4.5  - Ensure Content trust for Docker is Enabled
[WARN] 4.6  - Ensure that HEALTHCHECK instructions have been added to container images
[WARN]      * No Healthcheck found: [shantanuo/notebook:latest]
[WARN]      * No Healthcheck found: [elasticsearch:7.3.1]
[WARN]      * No Healthcheck found: [russmckendrick/ab:latest]
[WARN]      * No Healthcheck found: [russmckendrick/nginx-php:latest]

[WARN] 5.1  - Ensure that, if applicable, an AppArmor Profile is enabled
[WARN]      * No AppArmorProfile Found: vigorous_galileo
[WARN] 5.2  - Ensure that, if applicable, SELinux security options are set
[WARN]      * No SecurityOptions Found: vigorous_galileo
[WARN] 5.10  - Ensure that the memory usage for containers is limited
[WARN]      * Container running without memory restrictions: vigorous_galileo
[WARN] 5.11  - Ensure CPU priority is set appropriately on the container
[WARN]      * Container running without CPU restrictions: vigorous_galileo
[WARN] 5.12  - Ensure that the container's root filesystem is mounted as read only
[WARN]      * Container running with root FS mounted R/W: vigorous_galileo
[WARN] 5.13  - Ensure that incoming container traffic is bound to a specific host interface
[WARN]      * Port being bound to wildcard IP: 0.0.0.0 in vigorous_galileo
[WARN] 5.14  - Ensure that the 'on-failure' container restart policy is set to '5'
[WARN]      * MaximumRetryCount is not set to 5: vigorous_galileo
[WARN] 5.25  - Ensure that the container is restricted from acquiring additional privileges
[WARN]      * Privileges not restricted: vigorous_galileo
[WARN] 5.26  - Ensure that container health is checked at runtime
[WARN]      * Health check not set: vigorous_galileo
[WARN] 5.28  - Ensure that the PIDs cgroup limit is used
[WARN]      * PIDs limit not set: vigorous_galileo

Answer 1

就我而言，Section5是必需的，因为它取决于容器上运行的应用程序。由于我一直在运行聊天系统(消耗内存的应用程序)，带有副本的no-sql数据库(消耗更多的磁盘读写I / O)，用于读取聊天内容的解析引擎(消耗更多的CPU)并限制了-从其他网络的必要访问。

因此，总的来说对于隔离这5类容器有很大帮助。
它为容器提供系统级别的隔离。