docker安全配置(cpu、分区的大小设定和权限设定)

其他 2019-01-29 02:07:32 阅读次数: 0

Docker 安全

设置特权级运行的容器:–privileged=true
有的时候我们需要容器具备更多的权限,比如操作内核模块,控制 swap 交换分区,挂载
USB 磁盘,修改 MAC 地址等。

[root@foundation23 test]# docker run -it --name vm2 --privileged=true ubuntu
root@eab5af508a67:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
44: eth0@if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:3/64 scope link 
       valid_lft forever preferred_lft forever
root@eab5af508a67:/# ip link set down eth0
root@eab5af508a67:/# ip link set up eth0
root@eab5af508a67:/# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
44: eth0@if45: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:03 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.3/16 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:acff:fe11:3/64 scope link 
       valid_lft forever preferred_lft forever
root@eab5af508a67:/# id
uid=0(root) gid=0(root) groups=0(root)
root@eab5af508a67:/# [root@foundation23 test]#

这里写图片描述
这里写图片描述

导入测试镜像,对cpu和分区大小进行测试

首先对swap分区进行了解:
Swap分区在系统的物理内存不够用的时候,把物理内存中的一部分空间释放出来,以供当前运行的程序使用。那些被释放的空间可能来自一些很长时间没有什么操作的程序,这些被释放的空间被临时保存到Swap分区中,等到那些程序要运行时,再从Swap分区中恢复保存的数据到内存中,即也就是交换区,系统在物理内存不够时,与Swap进行交换。 其实,Swap的调整对Linux服务器,特别是Web服务器的性能至关重要。通过调整Swap,有时可以越过系统性能瓶颈,节省系统升级费用。

进入镜像tar包所在目录
[root@foundation23 test]# cd /home/kiosk/Desktop/docker/
[root@foundation23 docker]# docker load -i stress.tar 
5f70bf18a086: Loading layer 1.024 kB/1.024 kB
8200f77c555b: Loading layer 201.6 MB/201.6 MB
5004946741d1: Loading layer 208.4 kB/208.4 kB
df60166f50fe: Loading layer 5.632 kB/5.632 kB
eb9586760c19: Loading layer 83.72 MB/83.72 MB
8744facfa470: Loading layer 187.9 kB/187.9 kB
e3b0c44298fc: Loading layer 
1e47ff17b890: Loading layer 5.352 MB/5.352 MB
Loaded image: stress:latest

这里的 –memory-swap 是内存和swap总共大小。内存不可以大于这个值

当所需内存大于系统所能分配的内存时,中断程序的进行
[root@foundation23 docker]# docker run --rm -it --name vm1 -m 120M --memory-swap 120M stress --vm 1 --vm-bytes 120M
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogvm worker 1 [7] forked
stress: dbug: [7] allocating 125829120 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...

这里写图片描述

当所需内存,内存和swap总共可以提供时,程序正常进行
[root@foundation23 docker]# docker run --rm -it --name vm1 -m 100M --memory-swap 120M stress --vm 1 --vm-bytes 110M
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogvm worker 1 [7] forked
stress: dbug: [7] allocating 115343360 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
stress: dbug: [7] freed 115343360 bytes
stress: dbug: [7] allocating 115343360 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
stress: dbug: [7] freed 115343360 bytes
stress: dbug: [7] allocating 115343360 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
^Cstress: FAIL: [1] (416) <-- worker 7 got signal 2
stress: WARN: [1] (418) now reaping child worker processes
stress: FAIL: [1] (422) kill error: No such process
stress: FAIL: [1] (452) failed run completed in 5s

这里写图片描述
内存不可能大于内存和swap分区总共大小

[root@foundation23 docker]# docker run --rm -it --name vm1 -m 130M --memory-swap 120M stress --vm 1 --vm-bytes 120M
docker: Error response from daemon: Minimum memoryswap limit should be larger than memory limit, see usage.
See 'docker run --help'.

查看cpu个数

[root@foundation23 test]# lscpu
Architecture:          x86_64
CPU op-mode(s):        32-bit, 64-bit
Byte Order:            Little Endian
CPU(s):                4

这里写图片描述
测试系统swap大小

系统提供的swap和内存大小一般是内存的2倍
[root@foundation23 docker]# docker run --rm -it --name vm1 -m 120M stress --vm 1 --vm-bytes 240M
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogvm worker 1 [7] forked
stress: dbug: [7] allocating 251658240 bytes ...
stress: dbug: [7] touching bytes in strides of 4096 bytes ...
stress: FAIL: [1] (416) <-- worker 7 got signal 9
stress: WARN: [1] (418) now reaping child worker processes
stress: FAIL: [1] (422) kill error: No such process
stress: FAIL: [1] (452) failed run completed in 2s
程序正常进行,只能手动关闭
[root@foundation23 docker]# docker run --rm -it --name vm1 -m 120M stress --vm 1 --vm-bytes 230M
stress: info: [1] dispatching hogs: 0 cpu, 0 io, 1 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogvm worker 1 [6] forked
stress: dbug: [6] allocating 241172480 bytes ...
stress: dbug: [6] touching bytes in strides of 4096 bytes ...
^Cstress: FAIL: [1] (416) <-- worker 6 got signal 2
stress: WARN: [1] (418) now reaping child worker processes
stress: FAIL: [1] (422) kill error: No such process
stress: FAIL: [1] (452) failed run completed in 5s

这里写图片描述

cpu对容器优先级的比较

设置优先级为512,之前查看cpu为4,所以这里设置为4,进行优先级的比较

[root@foundation23 docker]# docker run --rm -it --cpu-shares 512 stress -c 4
stress: info: [1] dispatching hogs: 4 cpu, 0 io, 0 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 12000us
stress: dbug: [1] --> hogcpu worker 4 [7] forked
stress: dbug: [1] using backoff sleep of 9000us
stress: dbug: [1] --> hogcpu worker 3 [8] forked
stress: dbug: [1] using backoff sleep of 6000us
stress: dbug: [1] --> hogcpu worker 2 [9] forked
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogcpu worker 1 [10] forked
^Cstress: FAIL: [1] (416) <-- worker 8 got signal 2

这里写图片描述
设置优先级为1024

[root@foundation23 ~]#  docker run --rm -it --cpu-shares 1024 stress -c 4
stress: info: [1] dispatching hogs: 4 cpu, 0 io, 0 vm, 0 hdd
stress: dbug: [1] using backoff sleep of 12000us
stress: dbug: [1] --> hogcpu worker 4 [6] forked
stress: dbug: [1] using backoff sleep of 9000us
stress: dbug: [1] --> hogcpu worker 3 [7] forked
stress: dbug: [1] using backoff sleep of 6000us
stress: dbug: [1] --> hogcpu worker 2 [8] forked
stress: dbug: [1] using backoff sleep of 3000us
stress: dbug: [1] --> hogcpu worker 1 [9] forked
^Cstress: FAIL: [1] (416) <-- worker 6 got signal 2

这里写图片描述

比较:有明显的先后顺序
这里写图片描述

设置容器写的速率为10M每秒

[root@foundation23 docker]# docker run --rm -it --device-write-bps /dev/sda:10M ubuntu
root@ca8c7e03c7a3:/# dd if=/dev/zero of=file bs=1M count=100 oflag=direct
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 9.95313 s, 10.5 MB/s
root@ca8c7e03c7a3:/# ls file
file
root@ca8c7e03c7a3:/# ls
bin   dev  file  lib    media  opt   root  sbin  sys  usr
boot  etc  home  lib64  mnt    proc  run   srv   tmp  var
root@ca8c7e03c7a3:/# rm -frfile
rm: invalid option -- 'l'
Try 'rm --help' for more information.
root@ca8c7e03c7a3:/# rm -fr file
root@ca8c7e03c7a3:/# ls
bin   dev  home  lib64  mnt  proc  run   srv  tmp  var
boot  etc  lib   media  opt  root  sbin  sys  usr

这里写图片描述

猜你喜欢

转载自blog.csdn.net/ningyuxuan123/article/details/81913124
今日推荐
周排行
Leetcode简单题61~80
解决zookeeper磁盘IO高的问题
多线程相关方法详解
Maven-setting.xml文件详解
Maven 项目的 classpath 理解
渊亭科技大数据笔试题
配置JVM内存分配
计算机网络个人学习笔记 (三)网络层 :第三部分 连载
js中两个等号(==)和三个等号(===)的区别
用C程序自动打开电脑上的程序
每日归档
更多
2024-09-18(0)
2024-09-17(0)
2024-09-16(0)
2024-09-15(0)
2024-09-14(0)
2024-09-13(0)
2024-09-12(0)
2024-09-11(0)
2024-09-10(0)
2024-09-09(0)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022