Documentation
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Rules for Configuring the Operating Environment

Creating an Independent Partition and Enabling IPv6 for Containers

  1. The default Docker directory is /var/lib/docker, which stores all Docker files including images. This directory may be fully occupied. As a result, Docker and the host may become unavailable. For this reason, it is a good practice to create an independent partition (logical volume) for Docker files.
  2. By default, IPv6 is disabled for Docker. However, some applications depend on the IPv6 protocol. If IPv6 is disabled, some functions of these applications may be abnormal. The following provides a method to enable the IPv6 protocol for Docker.

Generally you need to perform the following operations:

  1. Create a directory for Docker files. Mount an idle drive whose file system type is Ext4 as an independent partition. The following uses sda as an example.

    Create a docker directory in /root/sda and add a line /dev/sda/root/sda/docker ext4 defaults 0 0 to the /etc/fstab file. If /dev/sda has been mounted or it has a non-Ext4 file system, replace sda in the following command with the name of a valid drive.

    1
2
    mkdir -p /root/sda/docker
echo "/dev/sda /root/sda/docker ext4 defaults 0 0" >> /etc/fstab
  2. Go to the /root/sda/docker path.
    1. Open the /etc/docker/daemon.json file.
      1
      vim /etc/docker/daemon.json
    2. Press i to enter the insert mode and add the "data-root": "/root/sda/docker", "ipv6": true,"fixed-cidr-v6": "2001:db8::/64" properties to the file to configure the Docker data storage location and enable the IPv6 protocol. The file must comply with the JSON format.
      1
2
3
4
5
6
      {
"debug": true,
"data-root": "/root/sda/docker",
"ipv6": true,
"fixed-cidr-v6": "2001:db8::/64"
}
    3. Press Esc, type :wq!, and press Enter to save the file and exit.

    Modify the /etc/docker/daemon.json file. If this file does not exist, create it as follows:

    1
2
3
4
5
6
7
8
9
    touch /etc/docker/daemon.json
cat >/etc/docker/daemon.json <<EOF
{
"debug":true,
"data-root":"/root/sda/docker",
"ipv6":true,
"fixed-cidr-v6":"2001:db8::/64"
}
EOF
  3. Restart the Docker service.

    Before restarting the Docker service, ensure that no other container is running. If any other container is running in the environment, clear it.

    1
    systemctl restart docker
  4. Reload the content of the /etc/fstab file.
    1
    mount -a

Using the Latest Docker Version

Update Docker in a timely manner to prevent known vulnerabilities in the Docker software. Trained attackers can exploit known vulnerabilities to attempt to access the system or escalate their permissions. If Docker updates are not installed, the Docker software may have vulnerabilities, which may cause permission escalation, unauthorized access, or other security violations.

Using a latest Docker version that has not been verified may cause compatibility issues.

Allowing Only Trusted Users to Join the Docker User Group

Trusted users are OS users who cannot be called by untrusted external parties. The Docker daemon requires root privileges. Users in the Docker user group have all the privileges of the root user. Docker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the / directory of the host to a container. Then the container can alter the host files system without any restriction. To put it simply, if a user in the Docker user group starts the host from the / directory on the host, the user gains escalated privileges. Remove untrusted users from the Docker group and do not map sensitive directories of the host to container volumes.

Auditing the Docker Daemon by the Host

The Docker daemon runs on the host with root privileges. The host needs to provide a mechanism for auditing the running and use status of the Docker daemon. Once an attack with an escalated privilege occurs through the Docker daemon, the cause can be traced.

Generally you need to perform the following operations:

  1. If auditd is not installed, install it first.
    1
    yum install audit -y
  2. In the /etc/audit/rules.d/audit.rules file, add the -w /usr/bin/dockerd -k docker command.
    1
    echo "-w /usr/bin/dockerd -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
  3. Restart the audit daemon.
    1
    service auditd restart

    Run the following command to check whether the previous modification is successful.

    1
    auditctl -l | grep /usr/bin/dockerd

    If -w /usr/bin/dockerd -p rwxa -k docker is displayed, the modification is successful.

    If the added rule does not take effect, run the following command to clear the current rule and restart the audit daemon.

    auditctl -D

Auditing Key Docker Directories and Files by the Host

The host provides the audit function for key Docker files and directories, including /var/lib/docker, /etc/docker, /etc/sysconfig/docker, /etc/docker/daemon.json, /usr/bin/containerd, /usr/bin/runc, docker.service, and docker.socket. These directories store key Docker information and need to be audited.

The listed directories are the default Docker installation directories. If a separate partition is created for Docker, the directories may change.

Generally you need to perform the following operations:

  1. Add the following commands to the /etc/audit/rules.d/audit.rules file (using the default Docker installation directory as an example): If you have created a separate partition for Docker, replace the following directories with the actual ones.
    1
2
3
4
5
6
7
8
    echo "-w /var/lib/docker -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/docker -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/sysconfig/docker -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/docker/daemon.json -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /usr/bin/containerd -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /usr/bin/runc -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /usr/lib/systemd/system/docker.service -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
echo "-w /var/run/docker.sock -p rwxa -k docker" >> /etc/audit/rules.d/audit.rules
  2. Restart the audit daemon.
    1
    service auditd restart

    Run the following command to check whether the previous modification is successful.

    1
    auditctl -l

    If the commands added in 1 is displayed in the command output, the modification is successful.