2. 2EMC CONFIDENTIAL—INTERNAL USE ONLY
$ uname -a
> No ops introduction
> No codes
> No Docker network (next time?)
> No Docker storage (Dockerone,
Vivian)
> One target: what is Docker?
> StarII program. Thanks for
being here.
3. 3EMC CONFIDENTIAL—INTERNAL USE ONLY
$ ls –al ./
> $ man Docker
> $ man cgroup
> $ man namespaces
> User namespaces?
> Security your Docker
> $man UnionFS
> $man docker-layer
10. 10EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man cgroup
• Limit, account, and isolate resource usage (CPU, memory, disk I/O, and more)
of process groups:
– Resource limiting: groups can be set to not exceed a set memory limit;
– Prioritization: some groups may get larger share of CPU or disk I/O
throughput;
– Accounting: to measure how much resource certain systems use;
– Control: freezing groups or checkpoint and restart
15. 15EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man namespaces
• UTS: isolate node-name and domain-name—returned by the uname()
system call
• Network: provide isolation of the system resources associated with
networking, including own network devices, IP addresses, IP routing tables,
/proc/net directory, port numbers, and so on.
• PID: isolate the process ID number space.
• Mount: isolate the set of filesystem mount points seen by a group of
processes. Thus, processes in different mount namespaces can have different
views of the filesystem hierarchy.
• IPC: isolate certain inter-process communication (IPC) resources, namely,
System V IPC objects and POSIX message queues.
• User: isolate the user and group ID number spaces. In other words, a
process's user and group IDs can be different inside and outside a user
namespace.
23. 23EMC CONFIDENTIAL—INTERNAL USE ONLY
Security your Docker
• No “--privileged=true”
• GID_Mapping/UID_Mapping with LXC driver;
• SELinux or AppArmor
• Libseccomp
• Capabilities
• ...
See: https://github.com/GDSSecurity/Docker-Secure-Deployment-Guidelines
26. 26EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man UnionFS
It allows files and directories of separate file
systems, known as branches, to be
transparently overlaid, forming a single
coherent file system. Contents of directories
which have the same path within the
merged branches will be seen together in a
single merged directory, within the new,
virtual filesystem.
When mounting branches, the priority of
one branch over the other is specified. So
when both branches contain a file with the
same name, one gets priority over the other.
The different branches may be both read-only and read-write file systems, so that writes to the virtual,
merged copy are directed to a specific real file system. This allows a file system to appear as writable, but
without actually allowing writes to change the file system, also known as copy-on-write.
27. 27EMC CONFIDENTIAL—INTERNAL USE ONLY
$ man docker-layer
• Each layer of the FS is mounted on top of prior layers
• The first layer is the base image
• Current base images include debian, ubuntu, busybox,
fedora, cent os, etc
• Each read-only layer is called an image (A layer is just
a collection of files and folders!)
• The top layer is the only modifiable layer - it’s termed
the container