Docker主机安全性-容器可以在容器内部运行危险代码或更改主机吗? [英] Docker Host Security - Can container run dangerous code or change host from inside of a container?

问题描述

让我们说我从中心存储库中提取了一个新映像，然后运行它而不查看dockerfile的内容.容器或映像能否以任何方式影响我的主机?

Lets say I pull a new image from a hub repository and run it without looking at the contents of the dockerfile. Can the container or image affect my host in any way possible?

请让我知道，因为我将在服务器上运行来自用户输入的图像名称的图像列表.我担心它是否会影响服务器/主机.

Please let me know because I will be running a list of images from a user inputted image names on my server. I am worried if it will affect the server/host.

推荐答案

对于图像的默认执行，答案是有条件的.内核功能受到限制，文件系统受到限制，进程空间被隔离，并且它与主机位于单独的桥接网络中.允许访问主机的任何内容都将是一个安全漏洞.

With a default execution of an image, the answer is a conditional no. The kernel capabilities are limited, the filesystem is restricted, the process space is isolated, and it's on a separate bridged network from the host. Anything that allows access back to the host would be a security vulnerability.

有条件的部分是，它可能会耗尽您的所有CPU周期，可能会耗尽您的内存，可能会填满您的驱动器，并且可能会将网络流量从您的计算机NAT发送到您的IP地址.换句话说，默认情况下，没有什么可以阻止容器受到主机的DoS攻击.

The conditional part is that it can use up all your CPU cycles, it can exhaust your memory, it can fill your drive, and it can send network traffic out from your machine NAT'ed to your IP address. In other words, by default, there's nothing preventing the container from a DoS attack on your host.

Docker确实有能力限制很多事情，包括限制内存，限制CPU或优先处理进程，并且文件系统有配额解决方案.

Docker does have the ability to limit many of these things, including capping memory, restricting CPU's or prioritizing processes, and there are quota solutions to the filesystem.

您还可以朝另一个方向发展，将主机暴露给容器，从而有效地创建安全漏洞.这将包括安装主机卷，尤其是在容器内部的docker.sock，使用-privileged 消除内核功能限制，以及使用-net = host 消除网络隔离.使用容器执行上述任何操作都会关闭Docker默认提供的保护.

You can also go the other direction and expose the host to the container, effectively creating security vulnerabilities. This would include mounting host volumes, especially the docker.sock inside the container, removing kernel capability restrictions with --privileged, and removing network isolation with --net=host. Doing any of these with a container turns off the protections that Docker provides by default.

由于Docker与主机共享内核的方式，其隔离度确实比虚拟机低.因此，如果您正在运行的代码包含内核或物理硬件漏洞，则可以访问主机.因此，如果您运行的是不受信任的代码，则可能需要研究linuxkit，它提供了一个基于轻量级容器的操作系统来在vm中运行.这用于提供在Windows/Mac的docker上的hyperv/xhyve下运行的Moby操作系统.

Docker does have a lower level of isolation than a virtual machine due to the way it shares the kernel with the host. So if the code you are running contains a kernel or physical hardware exploit, that could access the host. For this reason, if you are running untrusted code, you may want to look into linuxkit, which provides a lightweight container based operating system to run inside a vm. This is used to provide the moby os that runs under hyperv/xhyve on docker for windows/mac.

这篇关于Docker主机安全性-容器可以在容器内部运行危险代码或更改主机吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！