{"id":7860,"date":"2019-01-08T11:07:23","date_gmt":"2019-01-08T11:07:23","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=7860"},"modified":"2019-01-08T11:07:23","modified_gmt":"2019-01-08T11:07:23","slug":"technical-report-container-security-iv-2","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/technical-report-container-security-iv-2\/","title":{"rendered":"Technical Report on Container Security (IV)-2"},"content":{"rendered":"<p><strong>Container Security Protection<\/strong> <strong>\u2013 Container Service Security<\/strong><\/p>\n<h2><strong>Container Service Security<\/strong><\/h2>\n<p>The security of the container management and orchestration service has a direct bearing on that of the container control plane. Take Docker for example. Whether the Docker daemon is properly configured determines the security of Docker to some extent. It is recommended that the following settings be configured when starting the Docker daemon:<\/p>\n<h3><strong>(1) Restrict inter-container network traffic.<\/strong><\/h3>\n<p>By default, all traffic between containers on the same host is permitted. This is the so-called blacklist mechanism, which allows users to add access control lists as required. To restrict communication between containers on the same host, the whitelist mechanism can be employed (by passing a command-line parameter <strong>&#8211;icc = false<\/strong> to the Docker daemon) to prohibit inter-container traffic by default. Containers can communicate with one another only after they are added to the whitelist. In addition, we can add containers to a custom network to restrict their communication with containers on other networks.<\/p>\n<h3><strong>(2) Set remote, centralized log management.<\/strong><\/h3>\n<p>Containers have a short lifecycle that is full of rapid service changes. To address this issue, we can put logs on a remote, centralized platform for security analysis and forensics by using <strong>docker &#8211;log-driver=syslog &#8211;log-opt syslog-address=tcp:\/\/192.xxx.xxx.xxx<\/strong>.<\/p>\n<h3><strong>(3) Allow Docker to modify iptables rules.<\/strong><\/h3>\n<p>The Docker daemon can automatically modify iptables as required according to users&#8217; network configuration. It is recommended that the Docker daemon be allowed to automatically update the iptables configuration by setting <strong>docker &#8211;iptables<\/strong> to <strong>true<\/strong>.<\/p>\n<h3><strong>(4) Do not use AUFS as the storage driver.<\/strong><\/h3>\n<p>The advanced multi-layered unification filesystem (AUFS), as a rather old storage driver of Linux, may trigger some major issues such as kernel crash. Many new Linux kernel releases stop providing support for AUFS. Users can use the <strong>docker &#8211;storage-driver devicemapper<\/strong> command to specify the device mapper as the storage driver. By default, Docker on most platforms adopts the device mapper as the storage driver. This may vary with operating systems. The preferable choice goes for the best storage driver supported by the operating system.<\/p>\n<h3><strong>(5) Use default cgroups.<\/strong><\/h3>\n<p>Docker controls container resources with cgroups, which can be set with the <strong>docker &#8211;cgroup-parent = \/foobar<\/strong> command line.<\/p>\n<p>For configuration of the daemon, besides the preceding command line, another common operation is to modify the <strong>docker.service<\/strong> file, whose path is generally \/lib\/systemd\/system\/docker.service. The path may vary with Linux distributions. After the file is modified, the Docker daemon needs to be restarted to control resources with cgroups.<\/p>\n<h3><strong>(6) Set ulimit at the Docker daemon level.<\/strong><\/h3>\n<p>ulimit is a built-in function of Linux. It contains a set of parameters for controlling resources available for the shell or processes started by it. Resource types supported by ulimit include the size of kernel files created, size of process data chunks, size of files created by shell processes, size of locked memory, size of the resident memory set, number of opened file descriptors, maximum value of the allocated stack, CPU time, maximum number of stacks for a single user, and maximum virtual memory available for shell processes. ulimit has two types of settings: hard and soft.<\/p>\n<p>Setting ulimits can be useful for avoiding resource exhaustion-caused problems, such as a fork bomb. Sometimes, legitimate users and process can also overuse system resources, leading to resource exhaustion. Therefore, it is necessary to control resource usage by setting default ulimits for the Docker service.<\/p>\n<h3><strong>(7) Use trusted repositories.<\/strong><\/h3>\n<p>By default, the Docker process allows push and pull of images only from repositories configured with trusted certificates. It is not advisable to enable this configuration item unless the untrusted repository to be used is built internally.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Container Security Protection \u2013 Container Service Security Container Service Security The security of the container management and orchestration service has a direct bearing on that of the container control plane. Take Docker for example. Whether the Docker daemon is properly configured determines the security of Docker to some extent. It is recommended that the following [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":7861,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[15],"tags":[152],"class_list":["post-7860","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-research-reports","tag-container-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Technical Report on Container Security (IV)-2 - NSFOCUS<\/title>\n<meta name=\"robots\" content=\"noindex, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Technical Report on Container Security (IV)-2 - NSFOCUS\" \/>\n<meta property=\"og:description\" content=\"Container Security Protection \u2013 Container Service Security Container Service Security The security of the container management and orchestration service\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/\" \/>\n<meta property=\"og:site_name\" content=\"NSFOCUS\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-08T11:07:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Technical Report on Container Security (IV)-2 - NSFOCUS\" \/>\n<meta name=\"twitter:description\" content=\"Container Security Protection \u2013 Container Service Security Container Service Security The security of the container management and orchestration service\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\"},\"headline\":\"Technical Report on Container Security (IV)-2\",\"datePublished\":\"2019-01-08T11:07:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/\"},\"wordCount\":607,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-2.jpg\",\"keywords\":[\"Container Security\"],\"articleSection\":[\"Research &amp; Reports\"],\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/\",\"name\":\"Technical Report on Container Security (IV)-2 - NSFOCUS\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-2.jpg\",\"datePublished\":\"2019-01-08T11:07:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#primaryimage\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-2.jpg\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2019\\\/01\\\/1107-2.jpg\",\"width\":549,\"height\":389,\"caption\":\"Education-themed doodles with books and stationery.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/technical-report-container-security-iv-2\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/nsfocusglobal.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Technical Report on Container Security (IV)-2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#website\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"name\":\"NSFOCUS\",\"description\":\"Security Made Smart and Simple\",\"publisher\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#organization\",\"name\":\"NSFOCUS\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"contentUrl\":\"https:\\\/\\\/nsfocusglobal.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/logo-ns.png\",\"width\":248,\"height\":36,\"caption\":\"NSFOCUS\"},\"image\":{\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/#\\\/schema\\\/person\\\/fd9ab61c9c77a81bbd870f725cc0c61d\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\\\/\\\/nsfocusglobal.com\"],\"url\":\"https:\\\/\\\/nsfocusglobal.com\\\/pt-br\\\/author\\\/admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Technical Report on Container Security (IV)-2 - NSFOCUS","robots":{"index":"noindex","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"Technical Report on Container Security (IV)-2 - NSFOCUS","og_description":"Container Security Protection \u2013 Container Service Security Container Service Security The security of the container management and orchestration service","og_url":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/","og_site_name":"NSFOCUS","article_published_time":"2019-01-08T11:07:23+00:00","og_image":[{"url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_title":"Technical Report on Container Security (IV)-2 - NSFOCUS","twitter_description":"Container Security Protection \u2013 Container Service Security Container Service Security The security of the container management and orchestration service","twitter_image":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg","twitter_misc":{"Escrito por":"admin","Est. tempo de leitura":"3 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#article","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/"},"author":{"name":"admin","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d"},"headline":"Technical Report on Container Security (IV)-2","datePublished":"2019-01-08T11:07:23+00:00","mainEntityOfPage":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/"},"wordCount":607,"commentCount":0,"publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"image":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg","keywords":["Container Security"],"articleSection":["Research &amp; Reports"],"inLanguage":"pt-BR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/","url":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/","name":"Technical Report on Container Security (IV)-2 - NSFOCUS","isPartOf":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#primaryimage"},"image":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#primaryimage"},"thumbnailUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg","datePublished":"2019-01-08T11:07:23+00:00","breadcrumb":{"@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#primaryimage","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2019\/01\/1107-2.jpg","width":549,"height":389,"caption":"Education-themed doodles with books and stationery."},{"@type":"BreadcrumbList","@id":"https:\/\/nsfocusglobal.com\/technical-report-container-security-iv-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nsfocusglobal.com\/"},{"@type":"ListItem","position":2,"name":"Technical Report on Container Security (IV)-2"}]},{"@type":"WebSite","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#website","url":"https:\/\/nsfocusglobal.com\/pt-br\/","name":"NSFOCUS","description":"Security Made Smart and Simple","publisher":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nsfocusglobal.com\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#organization","name":"NSFOCUS","url":"https:\/\/nsfocusglobal.com\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","contentUrl":"https:\/\/nsfocusglobal.com\/wp-content\/uploads\/2024\/08\/logo-ns.png","width":248,"height":36,"caption":"NSFOCUS"},"image":{"@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/nsfocusglobal.com\/pt-br\/#\/schema\/person\/fd9ab61c9c77a81bbd870f725cc0c61d","name":"admin","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d3dc987908fc59791d261b1006d84eb931d15287261476b9384e690ed0c568de?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/nsfocusglobal.com"],"url":"https:\/\/nsfocusglobal.com\/pt-br\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/7860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/comments?post=7860"}],"version-history":[{"count":0,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/posts\/7860\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media\/7861"}],"wp:attachment":[{"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/media?parent=7860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/categories?post=7860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsfocusglobal.com\/pt-br\/wp-json\/wp\/v2\/tags?post=7860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}