Читать книгу Cloud Native Security - Chris Binnie - Страница 19
Container Components
ОглавлениеThere are typically a number of common components on a Linux system that enable the secure use of containers, although new features, or improvements to existing kernel and system features, are augmented periodically. These are Linux security features that allow containers to be bundled into a distinct unit and separated from other system resources. Such system and kernel features mean that most containers spawned, without adding any nonstandard options to disable such security features, have a limited impact on other containers and the underlying host. However, often unwittingly containers will run as the root user or developers will open security features to ease their development process. Table 1.1 presents key components.
Table 1.1: Common Container Components
| COMPONENT | DESCRIPTION |
|---|---|
| Kernel namespaces | A logical partitioning of kernel resources to reduce the visibility that processes receive on a system. |
| Control croups | Functionality to limit usage of system resources such as I/O, CPU, RAM, and networking. Commonly called cgroups. |
| SElinux/AppArmor | Mandatory Access Control (MAC) for enforcing security-based access control policies across numerous system facets such as filesystems, processes, and networking. Typically, SElinux is found on Red Hat Enterprise Linux (RHEL) derivatives and AppArmor on Debian derivatives. However, SElinux is popular on both, and AppArmor appears to be in experimental phase for RHEL derivatives such as CentOS. |
| Seccomp | Secure Computing (seccomp) allows the kernel to restrict numerous system calls; for the Docker perspective, see docs.docker.com/engine/security/seccomp. |
| Chroot | An isolation technique that uses a pseudo root directory so that processes running within the chroot lose visibility of other defined facets of a system. |
| Kernel capabilities | Checking and restricting all system calls; more in the next section. |
