Docker安装与加固指南

安装Docker

https://docs.docker.com/engine/install

以非root用户身份管理Docker

https://docs.docker.com/engine/install/linux-postinstall

为Docker启用Linux user namespace

https://docs.docker.com/engine/security/userns-remap https://medium.com/@kasunmaduraeng/docker-namespace-and-cgroups-dece27c209c7

# Create a user called "dremap"
sudo adduser --no-create-home --disabled-password --disabled-login dremap
# Setup subuid and subgid
sudo sh -c 'echo dremap:400000:65536 > /etc/subuid'
sudo sh -c 'echo dremap:400000:65536 > /etc/subgid'
sudo vim /etc/docker/daemon.json 
{
 "userns-remap": "dremap"
}
# Restart Docker
sudo systemctl restart docker

# Test 输出如下成功
docker run -d --rm ubuntu sleep 100
ps -ef|grep sleep
#out: 400000      4981    4961  2 14:40 ?        00:00:00 sleep 100
sudo ls /var/lib/docker/400000.400000
#out: buildkit  containers  engine-id  image  network  overlay2  plugins  runtimes  swarm  tmp  volumes

安装gVisor启用沙箱隔离(可选)

https://gvisor.dev/docs/user_guide/install/

安装gVisor

(
  set -e
  ARCH=$(uname -m)
  URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH}
  wget ${URL}/runsc ${URL}/runsc.sha512 \
    ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
  sha512sum -c runsc.sha512 \
    -c containerd-shim-runsc-v1.sha512
  rm -f *.sha512
  chmod a+rx runsc containerd-shim-runsc-v1
  sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin
)

为Docker启用

sudo /usr/local/bin/runsc install
sudo systemctl reload docker
docker run --rm --runtime=runsc hello-world
# 如果docker启用了命名空间, 这一步需要添加--userns host参数
docker run --rm --userns host --runtime=runsc hello-world

禁用网络隔离

默认runsc会将容器网络隔离, 导致无法使不同的容器互通, 在/etc/docker/daemon.json添加如下内容禁用网络隔离

{
    "runtimes": {
        "runsc": {
            "path": "/usr/local/bin/runsc",
            "runtimeArgs": [
                "--network=host"
            ]
       }
    }
}

sudo systemctl reload docker

配置守护进程代理

现在(2024-07)国内已经完全无法访问DockerHub. 需要配置代理.

1. 创建 dockerd 相关的 systemd 目录，这个目录下的配置将覆盖 dockerd 的默认配置

   sudo mkdir -p /etc/systemd/system/docker.service.d
   

2. 新建配置文件 /etc/systemd/system/docker.service.d/http-proxy.conf，这个文件中将包含环境变量

   cat > /etc/systemd/system/docker.service.d/http-proxy.conf <<EOF
   [Service]
     Environment="HTTP_PROXY=http://proxy.example.com:80"
     Environment="HTTPS_PROXY=https://proxy.example.com:443"
     Environment="NO_PROXY=your-registry.com,10.10.10.10,*.example.com"
   EOF
   

3. 重新加载配置文件，重启 dockerd

   sudo systemctl daemon-reload
   sudo systemctl restart docker
   

4. 检查确认环境变量已经正确配置

   sudo systemctl show --property=Environment docker