• Docker Docker Daemon Json Configure

Dec 21, 2018 You can know about the configuration options that are available, by clicking on dockerd reference docs, I hope that the above information will resolve your query. Answered Dec 21, 2018 by Damon Salvatore. The daemon.json configuration sets the default for clients that support both the classic builder and BuildKit (such clients can still switch back to the old builder). I agree the docs should highlight that (in a comparison with compose v1), compose v2 will always use BuildKit. Oct 20, 2017 For daemon.json case, there isn't a command to list all the effective configuration for docker daemon, and I even don't know whether dockerd read the daemon.json I create, or which daemon.json it tried to read.

So in P3 of the Harden Docker with CIS series, I’ll continue with the hardening process of the Docker installation which we setup in the P1. We’ll start with the module two of the benchmark (CIS Docker Benchmark v1.2.0) i.e. Docker daemon configuration. There are seventeen items in total out of which one is “Not scored”, thus it will be not be entertained in detail in this post. In this port we’ll cover eight out of the total sixteen scored items, and the others will be covered in the next part. So let’s begin.

Not Scored

Scored

2.1 Ensure network traffic is restricted between containers on the default bridge

May 30, 2020 daemon.json is the file name which is being used to Configure Docker daemon. There are two ways to configure the Docker daemon: Use a JSON configuration file. This is the preferred option, since it keeps all configurations in a single place. Dec 14, 2020 tutorial. So in P3 of the Harden Docker with CIS series, I’ll continue with the hardening process of the Docker installation which we setup in the P1. We’ll start with the module two of the benchmark (CIS Docker Benchmark v1.2.0) i.e. Docker daemon configuration. There are seventeen items in total out of which one is “Not scored”, thus.

By default, all the containers in the default bridge can communicate with each other, without any restrictions. However this can be dangerous configuration if a malicious container is running on the default bridge as the other privileged containers. Thus, ensuring that “Inter container communication” (ICC) is turned off.

To verify if the ICC is turned off/on your Docker installation

As it is evident, in my Docker installation, ICC is turned on, thus containers can talk to each other, let’s see how this works.

As shown in the command line snippet above, we can ping, as well as curl the other container running nginx. Now let’s turn off ICC and try to do the same.

We can add our settings for the Docker daemon in the /etc/docker/daemon.json settings file, and then restart the Docker daemon with sudo systemctl restart docker and we can verify that if the settings took effect.

To turn off ICC, create daemon.json file it already doesn’t exist and then add the following content

After restarting the Docker daemon, let’s verify the settings.

So as ICC has been turned off, now let’s try and ping one container from the other.

NOTE: As we have restarted the Docker daemon, all the containers would have been stopped. So start all the containers (docker start $(docker ps -a -q)) before attempting anything.

So now after turning off ICC, containers can no longer communicate with each other.

2.2 Ensure the logging level is set to ‘info’

By default Docker daemon logging level is set to ‘info, however, we’ll be explicit and enable this setting in the /etc/docker/daemon,json file as well.

Add the following to change the logging level to ‘info’

2.3 Ensure Docker is allowed to make changes to iptables

Docker uses iptables to manage networking and other network related configurations, thus Docker daemon should be allowed to make changes to the iptables. By default, this setting is enabled, however, following the suit, we’ll be explicit.

2.4 Ensure insecure registries are not used

Insecure registries should not be used as they present a risk of traffic interception and modification. This can be mitigated using TLS communication, and ensuring that only secure registries are used to pull/push the images. By default Docker considers or looks for every registry to be trusted except the local one. The output of the following command should always only list one single registry i.e. local one.

If there are any registries other than the local one, then that registry should be removed.

2.5 Ensure aufs storage driver is not used

This is an obsolete setting, as these days only overlay2 is used for Docker images and containers. However, it is still important to know how to look for this setting.

This is the expected output, if there is anything except overlay2, it should be changed to any of the available ones except aufs such as devicemapper, btrfs, zfs, overlay, overlay2, and fuse-overlayfs

2.6 Ensure TLS authentication for Docker daemon is configured

To avoid confusion and to ensure best suggested practices, I haven’t delved deep into this topic. Docker‘s official documentation about the topic should serve the purpose and provide up to date information as to how to setup certificates for Docker daemon.

Reference: https://docs.docker.com/engine/security/https/

2.8 Enable user namespace support

The best way to prevent privilege-escalation attacks from within a container is to configure your container’s applications to run as unprivileged users. This can be achieved using user-namespace remapping in Docker. There are a few prerequisites to enable this feature for Docker daemon, else default options can also be used to achieve the same. We’ll use the default option and for detailed process and other intricacies official document can be followed.

Add the following line to the /etc/docker/daemon.json file to enable user namespace remapping.

This will create a default (dockremap user) mapping and will be utilized to run containers. We can verify if this mapping was created by running a container (docker run hello-world) and verifying the contents of the /var/lib/docker directory.

As it is evident, the files in the folder 231072.231072 is owned by the 231072 user thus limiting escalation attacks from within the containers.

There are a few limitation to this approach as well, and ways to exclude running containers from this mapping. This is particularly true for containers that need to run as root. This can be referred to in the official documentation.

2.9 Ensure the default cgroup usage has been confirmed

Cgroups can be utilized to ration a lot of resources within the host operating system. Thus ensuring that Docker containers are running under a specific cgroup is important. By default Docker utilizes /docker for cgroup driver and system.slice for systemd cgroup driver.

These settings can be changed, on container to container basis using --cgroup-parent flag while initiating a container, or can be changed globally by setting up the values in the /etc/docker/daemon.json file.

This completes the part 1 of our Docker daemon configuration section of the CIS Docker Benchmarks. We’ll continue with other controls in the next post.

If you have questions or need help setting things up, reach out to me @jtnydv

Docker Daemon tuning and JSON file configuration

技术标签： docker

The default Docker config works but there are some additional features which improves the overall experience with Docker. We will create a JSON config file with optimized options for the Docker Daemon, install bash completion for the Docker CLI commands with one line and increase security. But first things first.

Docker / Docker Compose installation

Please refer to the official Docker installation docs to install Docker on your specific system. To install Docker Compose, you can simply execute the following command which downloads Docker Compose 1.11 and makes it executable. Make sure you are root, otherwise you get a permission denied error. Docker Compose simplifies Mult-Container apps. It is a tool for defining and running Multi-Container Docker applications and maintains a logical definition of a distributed application. You can then deploy this stack to your Docker Swarm Cluster with docker stack deploy --compose-file=docker-compose.yml my_stack. But this is another great story.

Docker Daemon configuration

You can modify the Docker Daemon to improve overall performance and make it more robust. Especially the storage filesystem driver is a key component. We will use the overlay2 storage driver, which can be used with Linux kernel >= 4.0 and Docker >= 1.12. So make sure it is available on your system. There are some security features like user namespaces which should be enabled.

Let's activate our own configuration file by running this command.

Warning: Your current Docker configuration will be overwritten.

There is no way to move data from one storage to another, so all your Docker containers and images are not available anymore. You can delete everything before switching with the command docker system prune to save some disk space. This is optional of course and you may switch back, if you use your previous storage driver. Fasten your seatbelts and take off.

Create the file /etc/docker/daemon.json and put the following lines there. You find an excellent explanation of each configuration flag here. In short, we use the storage driver overlay2, enable JSON log files with logrotation and enable user namespaces. userns-remap uses UID and GID which is 1000 on my system. You can check these values for your user by executing the command id.

Docker CLI Bash completion

Do you know that Docker comes also with bash completion? This is really helpful. Make sure you are root, otherwise you get a permission denied error. The following command downloads the bash completion file for the current installed Docker version. You should also run this command after each Docker update.

The bash completion is also available for Docker Compose which makes things easier. The following command downloads the bash completion file for the current installed Docker Compose version. You should also run this command after each Docker Compose update.

Now it's time to restart the Docker service with sudo service docker restart (Ubuntu) and with docker info you should get this info. The bash completion will be available if you reopen your terminal. Let me know if you have other Docker config improvements.

Conclusion

This blog post has shown how to configure and optimize the Docker Daemon configuration. The Docker Daemon has now more performance due the overlay2 storage and is more robust due the user namespaces. The CLI bash completion for Docker and Docker Compose is very handy too.

智能推荐

写在前面 伪类经常与伪元素混淆，伪元素的效果类似于通过添加一个实际的元素才能达到，而伪类的效果类似于通过添加一个实际的类来达到。实际上css3为了区分两者，已经明确规定了伪类用一个冒号来表示，而伪元素则用两个冒号来表示。伪类与伪元素的本质区别就是是否抽象创造了新元素。具体的伪类和伪元素相关知识本文就不深入，下面介绍一下从青铜到王者10个css3伪类使用技巧和运用。直击案例代码 青铜-1、伪类实现盒...

wifi获取网关ip的方法 wifi获取网关ip是比较简单的，可以通过获取DhcpInfo来获取网关ip,而DhcpInfo可以通过Wifimanager来获取。 以太网获取网关ip 网上给的很多获取网关ip的方式，比如：EthernetManager和EthernetDevInfo来获取，具体的我在这里就不说了，因为默认sdk是没有提供的，引包会出问题。 这里换个角度给一种获取的方式： 1) 首...

默认情况下，MySQL只允许本地登录，如果要开启远程连接，则需要修改/etc/my.cnf文件 这样既支持ipv4也支持ipv6 允许远程登录 远程登录命令：...

Inflater英文意思是膨胀，在android中大概是扩展的意思吧。 LayoutInflater的作用类似于 findViewById(),不同点是LayoutInflater是用来找layout下xml布局文件，并且实例化！而findViewById()是找具体xml下的具体 widget控件(如:Button,TextView等)。 它的用法有2种： 另一种方法： 上面2种方法本质上是一样...

在平时的工作中，一个目录下可能有成千上百个文件，我们需要得到这些文件的文件名表格，下面一个简单的程序可以实现： ...

猜你喜欢

注：以下内容纯属虚构，请勿轻易当真！ 前言 C语言代码的编译通常可直接简单地利用编译指令来完成，但对于使用多源文件的工程而言，其工作是繁琐的，为了解决这个问题，将采用另一套编译机制，使用Makefile文件以其特定的规则来描述应用程序的编译过程，以简化编译，这需使用make指令，make是一条计算机指令，是在安装有GNU Make的计算机上的可执行指令。该指令是读入一个名为Makefile的文件，...

题目 1015 Reversible Primes (20 分) A reversible prime in any number system is a prime whose “reverse” in that number system is also a prime. For example in the decimal system 73 is a reversi...

指向对象的指针，怎么调用对象里面的函数： 指针名 -> 函数名； this 指针 隐含于类的每一个非静态成员函数中 指出成员函数所操作的对象 当通过一个对象调用成员函数的时候，系统先将该对象的地址赋给this指针，然后调用成员函数，成团函数对对象的数据成员进行操作的时候，就隐含的使用了this 指针 例如：Point 类的Get_x 函数中的语句： &...

Docker Docker Daemon Json Configure

六边形图片 类似圆形的图片，原理和圆形图片的差不多，这里关键怎么画六边形 废话不说直接上代码哈 是不是很简单呢？...