内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,详细介绍了相关技术的配置和使用方法。
本
风哥提示:
文档介绍Docker的安全配置和加固方法。
Part01-Docker安全概述
1.1 安全风险
[root@docker ~]# cat > /root/docker-security.txt << 'EOF' Docker安全风险 ============= 1. 镜像安全 - 镜像漏洞 - 恶意镜像 - 过时软件包 2.更多视频教程www.fgedu.net.cn 容器安全 - 特权容器 - 资源滥用 - 逃逸攻击 3. 网络安全 - 端口暴露 - 网络隔离 - 流量劫持 4. 存储安全 - 数据泄露 - 权限问题 - 数据持久化 5. 运行时安全 - API暴露 - 日志敏感信息 - 配置错误 EOF
Part02-Docker守护进程安全
2.1 守护进程配置
[root@docker ~]# cat > /etc/docker/daemon.json << 'EOF' { "icc": false, "live-restore": true, "userland-proxy": false, "no-new-privileges": true, "default-ulimits": { "nofile": { "Name": "nofile", "Hard": 65535, "Soft": 65535 } }, "log-driver": "json-file", "log-opts": { "max-size": "100m", "max-file": "5" }, "storage-driver": "overlay2", "exec-opts": ["native.cgroupdriver=systemd"], "bip": "172.17.0.1/16", "registry-mirrors": [ "https://registry.fgedu.net.cn" ], "insecure-registries": [], "tls": true, "tlscert": "/etc/docker/cert/server-cert.pem", "tlskey": "/etc/docker/cert/server-key.pem", "tlsverify": true } EOF # 重启Docker服务 [root@docker ~]# systemctl restart docker # 配置客户端证书认证 [root@docker ~]# mkdir -p ~/.docker [root@docker ~]# cat > ~/.docker/config.json << 'EOF' { "tls": true, "tlscert": "/root/.docker/cert.pem", "tlskey": "/root/.docker/key.pem", "tlsverify": true } EOF
Part03-容器安全加固
3.1 容器安全选项
[root@docker ~]# docker run -d –name fgedu-web \
–user 1000:1000 \
nginx:latest
abc123def456789012345678901234567890123456789012345678901234
# 限制容器能力
[root@docker ~]# docker run -d –name fgedu-app \
–cap-drop ALL \
–cap-add NET_BIND_SERVICE \
nginx:latest
def456789012345678901234567890123456789012345678901234
# 禁止特权提升
[root@docker ~]# docker run -d –name fgedu-db \
–security-opt no-new-privileges \
mysql:8.0
abc123def456789012345678901234567890123456789012345678901234
# 配置资源限制
[root@docker ~]# docker run -d –name fgedu-api \
–memory=”2g” \
–memory-swap=”2g” \
–memory-reservation=”1g” \
–cpus=”2″ \
–cpu-shares=1024 \
–pids-limit=100 \
nginx:latest
def456789012345678901234567890123456789012345678901234
# 只读根文件系统
[root@docker ~]# docker run -d –name fgedu-static \
–read-only \
–tmpfs /tmp \
–tmpfs /var/run \
nginx:latest
abc123def456789012345678901234567890123456789012345678901234
# 使用安全配置文件
[root@docker ~]# docker run -d –name fgedu-secure \
–security-opt seccomp=seccomp-profile.json \
–security-opt apparmor=docker-default \
nginx:latest
def456789012345678901234567890123456789012345678901234
# 查看容器安全配置
[root@docker ~]# docker inspect fgedu-web | grep -A 20 “HostConfig”
“HostConfig”: {
“Binds”: null,
“ContainerIDFile”: “”,
“LogConfig”: {
“Type”: “json-file”,
“Config”: {}
},
“NetworkMode”: “default”,
“PortBindings”: {},
“RestartPolicy”: {
“Name”: “no”,
“MaximumRetryCount”: 0
},
“AutoRemove”: false,
“VolumeDriver”: “”,
“VolumesFrom”: null,
“CapAdd”: null,
“CapDrop”: [
“ALL”
],
“CgroupnsMode”: “host”,
“Dns”: [],
“DnsOptions”: [],
“DnsSearch”: [],
“ExtraHosts”: null,
“GroupAdd”: null,
“IpcMode”: “private”,
“Cgroup”: “”,
“Links”: null,
“OomScoreAdj”: 0,
“PidMode”: “”,
“Privileged”: false,
“PublishAllPorts”: false,
“ReadonlyRootfs”: true,
“SecurityOpt”: [
“no-new-privileges”
]
}
Part04-镜像安全扫描
4.1 使用Trivy扫描
[root@docker ~]# rpm -ivh https://github.com/aquasecurity/trivy/releases/download/v0.47.0/trivy_0.47.0_Linux-64bit.rpm
# 扫描镜像
[root@docker ~]# trivy image nginx:latest
2026-04-04T06:00:00.000+0800 INFO Vulnerability scanning is enabled
2026-04-04T06:00:00.000+0800 INFO Secret scanning is enabled
2026-04-04T06:00:00.000+0800 INFO If your scanning is slow, please try ‘–scanners vuln’ to disable secret scanning
2026-04-04T06:00:00.000+0800 INFO Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2026-04-04T06:00:00.000+0800 INFO Number of language-specific files: 0
nginx:latest (debian 12.2)
==========================
Total: 15 (UNKNOWN: 0, LOW: 5, MEDIUM: 8, HIGH: 2, CRITICAL: 0)
┌──────────────┬────────────────┬──────────┬───────────────────┬───────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ openssl │ CVE-2023-5678 │ HIGH │ 3.0.11-1 │ 3.0.12-1 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ libexpat1 │ CVE-2023-1234 │ MEDIUM │ 2.5.0-1 │ 2.5.0-2 │
├──────────────┼────────────────┼──────────┼───────────────────┼───────────────┤
│ libxml2 │ CVE-2023-2345 │ MEDIUM │ 2.10.3-1 │ 2.10.3-2 │
└──────────────┴────────────────┴──────────┴───────────────────from PG视频:www.itpux.com┴───────────────┘
# 扫描并输出JSON报告
[root@docker ~]# trivy image -f json -o nginx-scan.json nginx:latest
# 只扫描高危和严重漏洞
[root@docker ~]# trivy image –severity HIGH,CRITICAL nginx:latest
- 以非root用户运行容器
- 限制容器能力
- 配置资源限制
- 定期扫描镜像漏洞
- 使用只读文件系统
- 启用内容信任
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
