堆栈内存溢出
  简体   繁体   English

docker容器是否足够安全,可以与生产系统并排运行第三方不受信任的容器?

[英]Are docker containers safe enough to run third-party untrusted containers side-by-side with production system?

 原文  2017-07-10 01:02:04       docker/ microservices

问题描述

We plan to allow execution of third-party micro-services code on our infrastructure interacting with our api. 我们计划允许在我们的基础设施上执行与我们的api交互的第三方微服务代码。 Is dockerizing safe enough? dockerizing足够安全吗? Are there solutions for tracking resources(network, ram,cpu)container consumes? 是否有跟踪资源(网络,ram,cpu)容器消耗的解决方案?

2 个解决方案

解决方案1
 2  2017-07-10 04:55:05

You can install portainer.io (see its demo , password tryportainer ) 你可以安装portainer.io (参见它的demo ,密码tryportainer

But to truly isolate those third-party micro-services, you could run them in their own VM defined on your infrastructure. 但要真正隔离这些第三方微服务,您可以在基础架构上定义的自己的VM中运行它们。 That VM would run a docker daemon and services. 该VM将运行docker守护程序和服务。 As long as the VM has access to the API, those micro-services containers will do fine, and won't lead/have access to anything directly from the infrastructure. 只要VM可以访问API,那些微服务容器就可以正常运行,并且不会直接从基础架构访问/访问任何内容。
You need to define/size your VM correctly to allocate enough resources for the containers to run, each one assuring their own resource isolation . 您需要正确定义/调整VM大小,以便为容器运行分配足够的资源,每个资源都可以确保自己的资源隔离

解决方案2
 2  2017-07-10 07:19:32

Docker (17.03) is a great tool to secure isolate processes. Docker(17.03)是保护隔离进程的绝佳工具。 It uses Kernel namespaces , Control groups and some kernel capabilities in order to isolate processes that run in different containers. 它使用内核命名空间控制组和一些内核功能来隔离在不同容器中运行的进程。

But, those processes are not 100% isolated from each other because they use the same kernel resources. 但是,这些进程并非100%彼此隔离,因为它们使用相同的内核资源。 Every dockerize process that make an IO call will leave for that period of time its isolated environment and will enter a shared environment, the kernel. 每个进行IO调用的dockerize进程都会在一段时间内离开其隔离的环境,并进入共享环境,即内核。 Although you can set limits per container, like how much processor or how much RAM it may use you cannot set limits on all kernel resources. 虽然您可以为每个容器设置限制,例如可以使用多少处理器或多少RAM,但您无法对所有内核资源设置限制。

You can read this article for more information. 您可以阅读本文以获取更多信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用Jenkins运行Docker容器 - Run Docker containers with Jenkins raspbian 上的 Docker 不会运行容器 - Docker on raspbian will not run containers 如何在生产中扩展Docker容器 - How to scale Docker containers in production Docker容器异步运行 - Docker containers run async presto docker 容器在生产环境中 - presto docker containers on production environment 2个Docker容器在1个容器中运行 - 2 docker containers run in 1 container 使用Docker容器设计系统架构 - Designing system architecture with Docker containers 以交互模式运行 docker 容器 - Run docker containers in interactive mode 运行Docker容器的Python脚本 - Python script to run docker containers 在docker容器上运行hadoop集群 - Run a hadoop cluster on docker containers
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM