Docker安全性解析-内核命名空间Kernel Namespaces
Kernel Namespaces 内核命名空间
Docker容器十分类似LXC容器,他们实现了相同的安全特性。在你使用 docker run
,启动一个Docker容器的时候, Docker 会创建设置一个 namespaces 和 control groups 来配合容器。
命名空间提供的隔离,是第一个也是最简单的安全形式,在容器中运行的进程在其他容器或主机中是看不到的,基本上不会相互影响。
每一个容器都有自己的网络机制,这意味这不同的容器能访问其他容器接口的sockets。当然如果你希望容器能相互配置使用,也可以将容器的网络接口释放出来,利用端口转发,让容器像主机一样可以在网络中被识别。都你使用一个公共的端口来连接容器直接内部的网络,你就是尝试去在容器之间进行ping。实际上所有的容器都是利用桥接方式来共享端口连接,一台主机就可以连接运行在上面的所有容器。
How mature is the code providing kernel namespaces and private networking? Kernel namespaces were introduced between kernel version 2.6.15 and 2.6.26. This means that since July 2008 (date of the 2.6.26 release, now 5 years ago), namespace code has been exercised and scrutinized on a large number of production systems. And there is more: the design and inspiration for the namespaces code are even older. Namespaces are actually an effort to reimplement the features of OpenVZ in such a way that they could be merged within the mainstream kernel. And OpenVZ was initially released in 2005, so both the design and the implementation are pretty mature.