Docker-контейнеры
8 800 555-89-02
Войти
Документация
CTRL+K
Standalone2410
SaaS

Docker-контейнеры

В этой статье
  • Docker-контейнеры
  • Образы контейнера ClickHouse
  • Логирование ClickHouse
  • Работа Docker Secrets
  • Разворачивание ClickHouse в Docker-контейнере
  • Benchmark result

Образы контейнера ClickHouse

Компания «Инфомаксимум» не добавляет неиспользуемые библиотеки или пакеты.

Образы контейнеров, контейнеры, параметры запуска контейнера, конфигурационные файлы контейнеров не хранят критичную информацию (пароли в файлах, hard-coded пароли, ключи, логины). Логины и хеш паролей приходят через Docker Secrets.

Образ контейнера был подписан компанией «Инфомаксимум».

Логирование ClickHouse

Контейнер с ClickHouse записывает логи в отдельный volume: infomaximumclickhouse-log. Для просмотра логов подключите и запустите контейнер с необходимым volume, например:

docker run -it --rm -v=infomaximum-clickhouselog:/ mnt/volume ubuntu bash

Внутри контейнера выполните:

tail -n 200 -f /mnt/volume/clickhouseserver.log

Логи хост машины не кастомизируются и располагаются по умолчанию в /var/log/….

Работа Docker Secrets

Применение секретов позволяет не передавать пароли и приватные ключи в открытом виде (в docker-контейнеры).

В настоящий момент через секреты передаются следующие значения:

  • логин для подключения к clickhouse
  • хеш-пароля для подключения к clickhouse
  • сертификат (для https)
  • приватный ключ (для https)
  • Diffie Hellman ключ (для https)

Доступ к секретам предоставляется в момент создания сервиса и впоследствии не может быть изменен. Чтобы внести изменения, удалите сервис и создайте его повторно.

Все секреты хранятся в зашифрованном в виде в Docker Swarm.

При запуске контейнера Docker Swarm монтирует секреты в виде файлов в каталог /run/secrets/….

Разворачивание ClickHouse в Docker-контейнере

Разворачивание происходит в соответствии с установкой БД ClickHouse.

Benchmark result

# ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------
Initializing Fri Nov 29 08:32:47 UTC 2019

[INFO] 1 - Host Configuration

[WARN] 1.1 - Ensure a separate partition for containers has been created

[NOTE] 1.2 - Ensure the container host has been Hardened

[INFO] 1.3 - Ensure Docker is up to date

[INFO] * Using 19.03.5, verify is it up to date as deemed necessary

[INFO] * Your operating system vendor may provide support and security maintenance for Docker

[INFO] 1.4 - Ensure only trusted users are allowed to control Docker daemon

[INFO] * docker:x:999

[WARN] 1.5 - Ensure auditing is configured for the Docker daemon

[WARN] 1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker

[WARN] 1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker

[INFO] 1.8 - Ensure auditing is configured for Docker files and directories - docker.service

[INFO] * File not found

[INFO] 1.9 - Ensure auditing is configured for Docker files and directories - docker.socket

[INFO] * File not found

[WARN] 1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker

[INFO] 1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json

[INFO] * File not found

[INFO] 1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/dockercontainerd

[INFO] * File not found

[INFO] 1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc

[INFO] * File not found

[INFO] 2 - Docker daemon configuration

[WARN] 2.1 - Ensure network traffic is restricted between containers on the default bridge

[PASS] 2.2 - Ensure the logging level is set to 'info'

[PASS] 2.3 - Ensure Docker is allowed to make changes to iptables

[PASS] 2.4 - Ensure insecure registries are not used

[PASS] 2.5 - Ensure aufs storage driver is not used

[INFO] 2.6 - Ensure TLS authentication for Docker daemon is configured

[INFO] * Docker daemon not listening on TCP

[INFO] 2.7 - Ensure the default ulimit is configured appropriately

[INFO] * Default ulimit doesn't appear to be set

[WARN] 2.8 - Enable user namespace support

[PASS] 2.9 - Ensure the default cgroup usage has been confirmed

[PASS] 2.10 - Ensure base device size is not changed until needed

[WARN] 2.11 - Ensure that authorization for Docker client commands is enabled

[WARN] 2.12 - Ensure centralized and remote logging is configured

[INFO] 2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated)

[PASS] 2.14 - Ensure live restore is Enabled (Incompatible with swarm mode)

[WARN] 2.15 - Ensure Userland Proxy is Disabled

[PASS] 2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed

[PASS] 2.17 - Ensure experimental features are avoided in production

[WARN] 2.18 - Ensure containers are restricted from acquiring new privileges

[INFO] 3 - Docker daemon configuration files

[INFO] 3.1 - Ensure that docker.service file ownership is set to root:root

[INFO] * File not found

[INFO] 3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive

[INFO] * File not found

[INFO] 3.3 - Ensure that docker.socket file ownership is set to root:root

[INFO] * File not found

[INFO] 3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive

[INFO] * File not found

[PASS] 3.5 - Ensure that /etc/docker directory ownership is set to root:root

[PASS] 3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive

[INFO] 3.7 - Ensure that registry certificate file ownership is set to root:root

[INFO] * Directory not found

[INFO] 3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive

[INFO] * Directory not found

[INFO] 3.9 - Ensure that TLS CA certificate file ownership is set to root:root

[INFO] * No TLS CA certificate found

[INFO] 3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive

[INFO] * No TLS CA certificate found

[INFO] 3.11 - Ensure that Docker server certificate file ownership is set to root:root

[INFO] * No TLS Server certificate found

[INFO] 3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive

[INFO] * No TLS Server certificate found

[INFO] 3.13 - Ensure that Docker server certificate key file ownership is set to root:root

[INFO] * No TLS Key found

[INFO] 3.14 - Ensure that Docker server certificate key file permissions are set to 400

[INFO] * No TLS Key found

[PASS] 3.15 - Ensure that Docker socket file ownership is set to root:docker

[PASS] 3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive

[INFO] 3.17 - Ensure that daemon.json file ownership is set to root:root

[INFO] * File not found

[INFO] 3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive

[INFO] * File not found

[PASS] 3.19 - Ensure that /etc/default/docker file ownership is set to root:root

[PASS] 3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive

[INFO] 4 - Container Images and Build File

[PASS] 4.1 - Ensure a user for the container has been created

[NOTE] 4.2 - Ensure that containers use trusted base images

[NOTE] 4.3 - Ensure unnecessary packages are not installed in the container

[NOTE] 4.4 - Ensure images are scanned and rebuilt to include security patches

[WARN] 4.5 - Ensure Content trust for Docker is Enabled

[PASS] 4.6 - Ensure HEALTHCHECK instructions have been added to the container image

[PASS] 4.7 - Ensure update instructions are not use alone in the Dockerfile

[NOTE] 4.8 - Ensure setuid and setgid permissions are removed in the images

[INFO] 4.9 - Ensure COPY is used instead of ADD in Dockerfile

[INFO] * ADD in image history: [infomaximum/infomaximum-clickhouse:19.15.2.2RC2]

[INFO] * ADD in image history: [docker/docker-bench-security:latest]

[NOTE] 4.10 - Ensure secrets are not stored in Dockerfiles

[NOTE] 4.11 - Ensure verified packages are only Installed

[INFO] 5 - Container Runtime

[PASS] 5.1 - Ensure AppArmor Profile is Enabled

[WARN] 5.2 - Ensure SELinux security options are set, if applicable

[WARN] * No SecurityOptions Found: infomaximum-clickhouse.1.jo8sqn516v3eua7zi7plufnek

[PASS] 5.3 - Ensure Linux Kernel Capabilities are restricted within containers

[PASS] 5.4 - Ensure privileged containers are not used

[PASS] 5.5 - Ensure sensitive host system directories are not mounted on containers

[PASS] 5.6 - Ensure ssh is not run within containers

[PASS] 5.7 - Ensure privileged ports are not mapped within containers

[NOTE] 5.8 - Ensure only needed ports are open on the container

[PASS] 5.9 - Ensure the host's network namespace is not shared

[PASS] 5.10 - Ensure memory usage for container is limited

[WARN] 5.11 - Ensure CPU priority is set appropriately on the container

[WARN] * Container running without CPU restrictions: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek

[WARN] 5.12 - Ensure the container's root filesystem is mounted as read only

[WARN] * Container running with root FS mounted R/W: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek

[WARN] 5.13 - Ensure incoming container traffic is binded to a specific host interface

[WARN] * Port being bound to wildcard IP: 0.0.0.0 in infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek

[WARN] 5.14 - Ensure 'on-failure' container restart policy is set to '5'

[WARN] * MaximumRetryCount is not set to 5: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek

[PASS] 5.15 - Ensure the host's process namespace is not shared

[PASS] 5.16 - Ensure the host's IPC namespace is not shared

[PASS] 5.17 - Ensure host devices are not directly exposed to containers

[INFO] 5.18 - Ensure the default ulimit is overwritten at runtime, only if needed

[INFO] * Container no default ulimit override: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek

[PASS] 5.19 - Ensure mount propagation mode is not set to shared

[PASS] 5.20 - Ensure the host's UTS namespace is not shared

[PASS] 5.21 - Ensure the default seccomp profile is not Disabled

[NOTE] 5.22 - Ensure docker exec commands are not used with privileged option

[NOTE] 5.23 - Ensure docker exec commands are not used with user option

[PASS] 5.24 - Ensure cgroup usage is confirmed

[WARN] 5.25 - Ensure the container is restricted from acquiring additional privileges

[WARN] * Privileges not restricted: infomaximum-clickhouse.1.jo8sqn516v3eua7zi7plufnek

[PASS] 5.26 - Ensure container health is checked at runtime

[INFO] 5.27 - Ensure docker commands always get the latest version of the image

[WARN] 5.28 - Ensure PIDs cgroup limit is used

[WARN] * PIDs limit not set: infomaximum-clickhouse.1.jo8sqn516v3eua7zi7plufnek

[INFO] 5.29 - Ensure Docker's default bridge docker0 is not used

[INFO] * Container in docker0 network: infomaximumclickhouse.1.jo8sqn516v3eua7zi7plufnek

[PASS] 5.30 - Ensure the host's user namespaces is not shared

[PASS] 5.31 - Ensure the Docker socket is not mounted inside any containers

[INFO] 6 - Docker Security Operations

[INFO] 6.1 - Avoid image sprawl

[INFO] * There are currently: 2 images

[INFO] 6.2 - Avoid container sprawl

[INFO] * There are currently a total of 26 containers, with 2 of them currently running

[INFO] 7 - Docker Swarm Configuration

[WARN] 7.1 - Ensure swarm mode is not Enabled, if not needed

[PASS] 7.2 - Ensure the minimum number of manager nodes have been created in a swarm

[PASS] 7.3 - Ensure swarm services are binded to a specific host interface

[WARN] 7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network

[WARN] * Unencrypted overlay network: ingress (swarm)

[PASS] 7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster

[WARN] 7.6 - Ensure swarm manager is run in auto-lock mode

[NOTE] 7.7 - Ensure swarm manager auto-lock key is rotated periodically

[INFO] 7.8 - Ensure node certificates are rotated as appropriate

[INFO] 7.9 - Ensure CA certificates are rotated as appropriate

[INFO] 7.10 - Ensure management plane traffic has been separated from data plane traffic

[INFO] Checks: 105

[INFO] Score: 15

Была ли статья полезна?

Да
Нет
Предыдущая
Логирование событий
8 (800) 555-89-028 (495) 150-31-45team@infomaximum.com
Для бизнеса
© 20102024. ООО «Инфомаксимум»
Мы используем файлы cookies, чтобы сайт был лучше для вас.