知识库

标准化实施手册及常见错误


linux系统docker部署及漏洞整改

<h2>一、安装docker</h2> <ul> <li> <h4>确认环境</h4> <p><code>arch</code> <img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/e2b26a270246d8f7c290c8125a04e568" alt="" /></p> </li> <li> <h4>下载安装包及脚本</h4> <h4>[点击下载docker](<a href="http://101.69.243.254:5010/share/h60Aktf7">http://101.69.243.254:5010/share/h60Aktf7</a> &quot;点击下载docker&quot;)</h4> <p><img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/4143ea77dfe61405126554bfc71637ce" alt="" /></p> </li> <li> <h4>自动化安装</h4> <p><code>sh -x docker-install.sh</code></p> </li> <li> <h4>检查是否安装成功</h4> <p>systemctl status docker <img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/ec72918bca302a17dfc6034a3b1ad3d1" alt="" /></p> </li> </ul> <h2>二、docker安全漏洞</h2> <ul> <li> <h4>docker未授权访问</h4> <p><img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/231637a40b2310e4ce8abb383453a2c8" alt="" /> 解决方案:</p> <pre><code>关闭2375端口远程访问,仅开启本地访问 vim /usr/lib/systemd/system/docker.service 删除 -H tcp://0.0.0.0:2375 此配置代表该docker主机开放tcp端口供其他主机访问,不需要共享则关闭 添加 -H unix:///var/run/docker.sock 此配置代表本地访问</code></pre> <p><img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/685aad2bdcdca5e779a11ef19dd6efb5" alt="" /></p> </li> <li> <h4>审核docker文件和目录</h4> <p>未安装审计服务参考:<a href="http://60.191.64.5:16100/web/#/5/223">http://60.191.64.5:16100/web/#/5/223</a> (第六条) <img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/c34ac58d653a9521f4723256390628ef" alt="" /> 解决方案: 在<code>/etc/audit/audit.rules</code>与<code>/etc/audit/rules.d/audit.rules</code>文件中添加以下行</p> <pre><code class="language-shell">-w /var/lib/docker -k docker -w /etc/docker -k docker -w /usr/lib/systemd/system/docker.service -k docker -w /usr/lib/systemd/system/docker.socket -k docker -w /usr/bin/docker-containerd -k docker -w /usr/bin/docker-runc -k docker</code></pre> <p>然后,重新启动audit程序 <code>service auditd restart</code> <code>auditctl -l</code> 查看定义的规则</p> </li> <li> <h4>限制容器之间的网络流量</h4> <p><img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/282c5831ce32eabc8f7f9a92c1d62852" alt="" /> 解决方案: 在<code>/etc/systemd/system/docker.service</code>文件中加入<code>--icc=false</code> <img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/b8958f3c37b57af5a46208b42b8f7255" alt="" /> 重启docker查看是否生效 <code>docker network inspect bridge</code> <img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/bba5fff5c6617f1621636af4c41174a7" alt="" /></p> </li> <li> <h4>为docker启用内容信任</h4> <p><img src="http://60.191.64.5:16100/server/index.php?s=/api/attachment/visitFile/sign/1ac576abc4343521391dc717278f1e0f" alt="" /> 解决方案: 在<code>/etc/profile</code>中加入<code>export DOCKER_CONTENT_TRUST=1</code> (0:代表关闭,1:代表开启,开启之后docker获取不到镜像包无法初始化)</p> </li> </ul>

页面列表

ITEM_HTML