Chris Binnie - Cloud Native Security
Здесь есть возможность читать онлайн «Chris Binnie - Cloud Native Security» — ознакомительный отрывок электронной книги совершенно бесплатно, а после прочтения отрывка купить полную версию. В некоторых случаях можно слушать аудио, скачать через торрент в формате fb2 и присутствует краткое содержание. Жанр: unrecognised, на английском языке. Описание произведения, (предисловие) а так же отзывы посетителей доступны на портале библиотеки ЛибКат.
- Название:Cloud Native Security
- Автор:
- Жанр:
- Год:неизвестен
- ISBN:нет данных
- Рейтинг книги:4 / 5. Голосов: 1
-
Избранное:Добавить в избранное
- Отзывы:
-
Ваша оценка:
Cloud Native Security: краткое содержание, описание и аннотация
Предлагаем к чтению аннотацию, описание, краткое содержание или предисловие (зависит от того, что написал сам автор книги «Cloud Native Security»). Если вы не нашли необходимую информацию о книге — напишите в комментариях, мы постараемся отыскать её.
Installing and configuring multiple types of DevSecOps tooling in CI/CD pipelines Building a forensic logging system that can provide exceptional levels of detail, suited to busy containerized estates Securing the most popular container orchestrator, Kubernetes Hardening cloud platforms and automating security enforcement in the cloud using sophisticated policies Perfect for DevOps engineers, platform engineers, security professionals and students,
will earn a place in the libraries of all professionals who wish to improve their understanding of modern security challenges.
Cloud Native Security — читать онлайн ознакомительный отрывок
Ниже представлен текст книги, разбитый по страницам. Система сохранения места последней прочитанной страницы, позволяет с удобством читать онлайн бесплатно книгу «Cloud Native Security», без необходимости каждый раз заново искать на чём Вы остановились. Поставьте закладку, и сможете в любой момент перейти на страницу, на которой закончили чтение.
Интервал:
Закладка:
For rootless mode, however, the limitations are subtly different. In Table 2.1we can see some of the limitations.
Table 2.1: Rootless Mode Limitations and Restrictions
| RESTRICTED FUNCTIONALITY | DESCRIPTION/WORKAROUND |
|---|---|
| Control groups | Known as cgroups , these were used to throttle containers to quotas for host services such as CPU, I/O, and RAM but are not available in rootless mode. |
| AppArmor | On Ubuntu derivatives or those OSs that use AppArmor, it is not possible to use the mandatory access controls in AppArmor. |
| Checkpoint | An experimental feature for snapshotting containers; checkpoints will not work in rootless mode: docs.docker.com/engine/reference/commandline/checkpoint. |
| Overlay v1 | It appears that the original overlaystorage driver is not compatible. Use overlay2instead: docs.docker.com/storage/storagedriver/overlayfs-driver. |
| Privileged ports | Sometimes known as root ports, privileged ports are any network ports below 1024 and for security reasons can only be exposed to the network by the rootuser. It is, however, possible to use the setcapcommand apparently to do this, but you should research the potentially unintended consequences: $ setcap cap_net_bind_service=ep $HOME/bin/rootlesskit. |
| Ping command | On some Linux distributions it may not be possible to use the pingcommand without adding net.ipv4.ping_group_range = 0 2147483647to the file /etc/sysctl.conf. |
| Networking | You need to enter the correct namespace for the host to have visibility of the IP address of the container using nsenter( man7.org/linux/man-pages/man1/nsenter.1.html), and the same applies to the host's networking as per user namespaces. The --net=hostoption won't work without extra effort or conceding security trade-offs. |
The contents of Table 2.1are not intended to put you off using rootless mode but instead give an insight into the lengths that the developers at Docker have had to go to in order to make this functionality a reality. There are unquestionably trade-offs, but that is almost always the case when security controls are introduced. You might have only one lock on the front door of your house, for example, but to be fully insurable your door probably needs two locks, which means paying for a second lock, fitting it, and carrying a second key with you when you have left the house.
Installing Rootless Mode
To get started we need to download an installation script as supplied by Docker. It can be found at get.docker.com/rootlessand, as with all online content, the script should be read through to check for any security implications that you do not want to be exposed to before applying it. And, having read the comments at the top of the script, you need to run a diffcommand on the contents of the script github.com/docker/docker-install/blob/master/rootless-install.shbefore using the script at the other URL (choose the Raw option for the displayed format on GitHub for easy copying):
$ diff -y get-docker.sh install.sh
This Docker functionality is being actively developed, so if you have trouble with one version of the installation script, try the other, which might be a more stable version.
It should go without saying at this juncture that we do not need to be the rootuser for the running containers. As a result, at this stage we will become the chrisuser with this command:
$ sudo -i chris
Clearly, you should alter the username to suit your own needs, potentially using your nonprivileged login user.
We will run the slightly more stable get.docker.comversion of the script this way, saving it to install.shas a filename:
$ curl https://get.docker.com/rootless > install.sh
Now, make it executable and run the script:
$ chmod +x install.sh ; ./install.sh
After the short process is completed, you are greeted with Docker Engine client and server version information; for example, the client is installed as follows to match the server version:
Client: Docker Engine - Community Version: 19.03.12 API version: 1.40 Go version: go1.13.10
In Listing 2.1 we can see the tail end of the installation script's output.
Listing 2.1:Rootless Mode Docker Has Installed and Is Offering the User Information
# Docker binaries are installed in /home/chris/bin # WARN: dockerd is not in your current PATH or pointing to /home/chris/bin/dockerd # Make sure the following environment variables are set (or add them to ~/.bashrc): export PATH=/home/chris/bin:$PATH export DOCKER_HOST=unix:///home/chris/rootless/docker.sock # # To control docker service run: # systemctl --user (start|stop|restart) docker #
Take a look at the post-install advice in Listing 2.1. The binaries have been installed within your user's home directory under the bin/directory. You can confirm that they are there with an lscommand.
The next thing to do is create three environment variables, as follows:
$ export XDG_RUNTIME_DIR=/home/$USER/rootless $ export PATH=/home/$USER/bin:$PATH $ export DOCKER_HOST=unix:///home/$USER/rootless/docker.sock
In the previous examples, for ease, $USERis used in place of chris.
You can also specify a different directory name here if you prefer. Before running the next command, we will need a directory to store our running container content and configuration, so create one now:
$ mkdir rootless
Now we can run this command to get rootless mode going, noting that we are using the preferred overlay2storage driver:
$ bin/dockerd-rootless.sh --experimental --storage-driver overlay2
Listing 2.2 shows the end of the output, describing how /home/chris/rootless/docker.sockhas connected to Docker Engine in rootless mode.
Listing 2.2:Docker in Rootless Mode Has Run Successfully
WARN[2020-08-24T15:51:34.554236269+01:00] Not using native diff for overlay2, this may cause degraded performance for building images: failed to set opaque flag on middle layer: operation not permitted storage-driver=overlay2 INFO[2020-08-24T15:51:34.555462723+01:00] Docker daemon commit=48a66213fe graphdriver(s)=overlay2 version=19.03.12 INFO[2020-08-24T15:51:34.556309674+01:00] Daemon has completed initialization INFO[2020-08-24T15:51:34.602091497+01:00] API listen on /home/chris/rootless/docker.sock
If you run the following command, you will see the processes running for Docker, as the less privileged user:
$ ps -ef | grep docker
Listing 2.3 shows the results.
Listing 2.3:Rootless Mode Docker Processes Running in the Background
chris 9286 9213 0 15:51 pts/0 00:00:00 rootlesskit --net=vpnkit --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run bin/dockerd-rootless.sh --experimental --storage-driver overlay2 chris 9295 9286 0 15:51 pts/0 00:00:00 /proc/self/exe --net=vpnkit --mtu=1500 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run bin/dockerd-rootless.sh --experimental --storage-driver overlay2 chris 9325 9295 0 15:51 pts/0 00:00:04 dockerd --experimental --storage-driver overlay2 chris 9343 9325 0 15:51 ? 00:00:03 containerd --config /home/chris/rootless/docker/containerd/containerd.toml --log-level info
To start a rootless mode container, we need to point Docker Engine precisely at where the Docker socket file is located. Within a second terminal, we will run the following commands to spawn a rootless Apache container:
Читать дальшеИнтервал:
Закладка:
Похожие книги на «Cloud Native Security»
Представляем Вашему вниманию похожие книги на «Cloud Native Security» списком для выбора. Мы отобрали схожую по названию и смыслу литературу в надежде предоставить читателям больше вариантов отыскать новые, интересные, ещё непрочитанные произведения.
Обсуждение, отзывы о книге «Cloud Native Security» и просто собственные мнения читателей. Оставьте ваши комментарии, напишите, что Вы думаете о произведении, его смысле или главных героях. Укажите что конкретно понравилось, а что нет, и почему Вы так считаете.