Docker security mechanism and resource management restrictions

Posted by robbyc on Thu, 02 Jan 2020 07:18:33 +0100

Setting up the security mechanism of docker

Container permissions

Set the container to run at privilege level: - privileged=true sometimes we need the container to have more permissions
For example, operating kernel module, controlling swap partition, mounting USB disk, modifying MAC address, etc.

[root@foundation7 test]# docker  run -it --name vm1 ubuntu
root@f34342f7343d:/# ip addr

[root@foundation7 test]# docker run  -it --name vm2 --privileged=true ubuntu
root@2d9ed055a7ec:/# ip addr

Pressure test the vessel

[root@foundation7 ~]# docker  run --rm -it --name vm1 -m 100M --memory-swap 100M stress --vm 1 --vm-bytes 100M
# provide for vm1100M The size of the memory plus the swap partition is 100 M，The maximum pressure measurement that can be processed is also 100 M

[root@foundation7 ~]# docker  run --rm -it --name vm1 -m 100M stress --vm 1 --vm-bytes 150M
# Set memory and swap All partitions are 100 M,The maximum pressure side is 200 M

Limit container cpu usage

[root@foundation7 ~]# docker run  --rm -it --cpu-shares 512 stress -c 1
[root@foundation7 ~]# docker run  --rm -it --cpu-shares 1024 stress -c 1
1024 The priority of the cpu When the number of cores is sufficient, cpu It can meet the two pressure tests at the same time and cannot reflect the priority

Check the number of cpu cores through lscpu and conduct pressure test

[root@foundation7 ~]# ls cpu

[root@foundation7 ~]# docker run  --rm -it --cpu-shares 512 stress -c 4
[root@foundation7 ~]# docker run  --rm -it --cpu-shares 1024 stress -c 4

Limit write rate

[root@foundation7 ~]# docker run --rm -it --privileged=true --device-write-bps /dev/sda:10M ubuntu
root@b13f489c0849:/# dd if=/dev/zero of=file1 bs=1M count=100 oflag=direct

Cgroup limits the rights of Docker

Install cgroup management tools

[root@server1 ~]# yum  install libcgroup.x86_64 -y
[root@server1 ~]# /etc/init.d/cgconfig start

Restrictions on memory

[root@server1 memory]# vim  /etc/cgconfig.conf
group x1 {
    memory {
        memory.limit_in_bytes = 209715200; 
        # The specified memory size is200M
        memory.memsw.limit_in_bytes = 209715200;  
        # The sum of the memory and the size of the swap partition, that is, the size of the swap partition is0
        }
}
[root@server1 memory]# /etc/init.d/cgconfig restart

When using x1 control, it can be seen that the maximum memory consumption cannot exceed 200M

Topics: Docker Ubuntu Mac yum

Programmer Think

Docker security mechanism and resource management restrictions

Setting up the security mechanism of docker

Cgroup limits the rights of Docker

Hot Topics