Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Rules for Configuring the Operating Environment

Creating an Independent Partition for Containers

The default Docker directory is /var/lib/docker, which stores all Docker files including images. This directory may be fully occupied. As a result, Docker and the host may become unavailable. For this reason, it is a good practice to create an independent partition (logical volume) for Docker files.

Generally you need to perform the following operations:

  1. Create a directory for Docker files. Mount an idle drive whose file system type is Ext4 as an independent partition. The following uses sda as an example.
    Create a docker directory in /root/sda and add a line /dev/sda/root/sda/docker ext4 defaults 0 0 to the /etc/fstab file. If /dev/sda has been mounted or it has a non-Ext4 file system, replace sda in the following command with the name of a valid drive.
    1
2
3
    # mkdir -p /root/sda/docker
# vim /etc/fstab
/dev/sda /root/sda/docker ext4 defaults 0 0
  2. Go to the /root/sda/docker path.

    In the /etc/docker/daemon.json file, add "data-root": "/root/sda/docker".

    1
2
    # vim /etc/docker/daemon.json
"data-root": "/root/sda/docker"

    If the /etc/docker/daemon.json file does not exist, create it in JSON format.

    1
2
3
4
5
    # touch /etc/docker/daemon.json
# vim /etc/docker/daemon.json
{
"data-root": "/root/sda/docker"
}
  3. Restart the Docker service.
    1
    # systemctl restart docker
  4. Reload the content of the /etc/fstab file.
    1
    # mount -a

Using the Latest Docker Version

Update Docker in a timely manner to prevent known vulnerabilities in the Docker software. Trained attackers can exploit known vulnerabilities to attempt to access the system or escalate their permissions. If Docker updates are not installed, the Docker software may have vulnerabilities, which may cause permission escalation, unauthorized access, or other security violations.

Using a latest Docker version that has not been verified may cause compatibility issues.

Allowing Only Trusted Users to Join the Docker User Group

Trusted users are OS users who cannot be called by untrusted external parties. The Docker daemon requires root privileges. Users in the Docker user group have all the privileges of the root user. Docker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the / directory of the host to a container. Then the container can alter the host files system without any restriction. To put it simply, if a user in the Docker user group starts the host from the / directory on the host, the user gains escalated privileges. Remove untrusted users from the Docker group and do not map sensitive directories of the host to container volumes.

Auditing the Docker Daemon by the Host (Ubuntu)

The Docker daemon runs on the host with root privileges. The host needs to provide a mechanism for auditing the running and use status of the Docker daemon. Once an attack with an escalated privilege occurs through the Docker daemon, the cause can be traced.

Generally you need to perform the following operations:

  1. If auditd is not installed, install it first.
    1
    # apt install auditd
  2. In the /etc/audit/rules.d/audit.rules file, add the -w /usr/bin/dockerd -k docker command.
    1
2
    # vim /etc/audit/rules.d/audit.rules
-w /usr/bin/dockerd -k docker
  3. Restart the audit daemon.
    1
    # service auditd restart

    Run the following command to check whether the previous modification is successful.

    1
    # auditctl -l | grep /usr/bin/dockerd

    If -w /usr/bin/dockerd -p rwxa -k docker is displayed, the modification is successful.

Auditing the Docker Daemon by the Host (openEuler)

The Docker daemon runs on the host with root privileges. The host needs to provide a mechanism for auditing the running and use status of the Docker daemon. Once an attack with an escalated privilege occurs through the Docker daemon, the cause can be traced.

Generally you need to perform the following operations:

  1. If auditd is not installed, install it first.
    1
    # yum install audit
  2. In the /etc/audit/rules.d/audit.rules file, add the -w /usr/bin/dockerd -k docker command.
    1
2
    # vim /etc/audit/rules.d/audit.rules
-w /usr/bin/dockerd -p rwxa -k docker
  3. Restart the audit daemon.
    1
    # service auditd restart

    Run the following command to check whether the previous modification is successful.

    1
    # auditctl -l | grep /usr/bin/dockerd

    If -w /usr/bin/dockerd -p rwxa -k docker is displayed, the modification is successful.

    If the added rule does not take effect, run the following command to clear the current rule and restart the audit daemon.

    # auditctl -D

Auditing Key Docker Directories and Files by the Host (Ubuntu)

The host provides the audit function for key Docker files and directories, including /var/lib/docker, /etc/docker, /etc/default/docker, /etc/docker/daemon.json, /usr/bin/docker-containerd, /usr/bin/docker-runc, docker.service, and docker.socket. These directories store key Docker information and must be audited.

The listed directories are the default Docker installation directories. If a separate partition is created for Docker, the directories may change.

Generally you need to perform the following operations:

  1. Add the following commands to the /etc/audit/rules.d/audit.rules file (using the default Docker installation directory as an example): If you have created a separate partition for Docker, replace the following directories with the actual ones.
    1
2
3
4
5
6
7
8
    # vim /etc/audit/rules.d/audit.rules
-w /etc/docker -k docker
-w /lib/systemd/system/docker.service -k docker
-w /var/lib/docker -k docker
-w /etc/default/docker -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/containerd -k docker
-w /usr/bin/runc -k docker
  2. Restart the audit daemon.
    1
    # service auditd restart

    Run the following command to check whether the previous modification is successful.

    1
    # auditctl -l

    If the commands added in 1 is displayed in the command output, the modification is successful.

Auditing Key Docker Directories and Files by the Host (openEuler)

The host provides the audit function for key Docker files and directories, including /var/lib/docker, /etc/docker, /etc/sysconfig/docker, /etc/docker/daemon.json, /usr/bin/containerd, /usr/bin/runc, docker.service, and docker.socket. These directories store key Docker information and must be audited.

The listed directories are the default Docker installation directories. If a separate partition is created for Docker, the directories may change.

Generally you need to perform the following operations:

  1. Add the following commands to the /etc/audit/rules.d/audit.rules file (using the default Docker installation directory as an example): If you have created a separate partition for Docker, replace the following directories with the actual ones.
    1
2
3
4
5
6
7
8
9
    # vim /etc/audit/rules.d/audit.rules
-w /var/lib/docker -p rwxa -k docker
-w /etc/docker -p rwxa -k docker
-w /etc/sysconfig/docker -p rwxa -k docker
-w /etc/docker/daemon.json -p rwxa -k docker
-w /usr/bin/containerd -p rwxa -k docker
-w /usr/bin/runc -p rwxa -k docker
-w /usr/lib/systemd/system/docker.service -p rwxa -k docker
-w /var/run/docker.sock -p rwxa -k docker
  2. Restart the audit daemon.
    1
    # service auditd restart

    Run the following command to check whether the previous modification is successful.

    1
    # auditctl -l

    If the commands added in 1 is displayed in the command output, the modification is successful.