mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-01-25 23:11:02 +08:00
translated
This commit is contained in:
parent
cc1720f505
commit
5e7bd62761
@ -1,115 +0,0 @@
|
||||
[#]: collector: (lujun9972)
|
||||
[#]: translator: (geekpi)
|
||||
[#]: reviewer: ( )
|
||||
[#]: publisher: ( )
|
||||
[#]: url: ( )
|
||||
[#]: subject: (Podman with capabilities on Fedora)
|
||||
[#]: via: (https://fedoramagazine.org/podman-with-capabilities-on-fedora/)
|
||||
[#]: author: (shiwanibiradar https://fedoramagazine.org/author/shiwanibiradar/)
|
||||
|
||||
Podman with capabilities on Fedora
|
||||
======
|
||||
|
||||
![][1]
|
||||
|
||||
Containerization is a booming technology. As many as seventy-five percent of global organizations could be running some type of containerization technology in the near future. Since widely used technologies are more likely to be targeted by hackers, securing containers is especially important. This article will demonstrate how [POSIX capabilities][2] are used to secure Podman containers. Podman is the default container management tool in RHEL8.
|
||||
|
||||
### Determine the Podman container’s privilege mode
|
||||
|
||||
Containers run in either privileged or unprivileged mode. In privileged mode, [the container uid 0 is mapped to the host’s uid 0][3]. For some use cases, unprivileged containers [lack sufficient access][4] to the resources of the host machine. Technologies and techniques including Mandatory Access Control (apparmor, SELinux), seccomp filters, dropping of capabilities, and namespaces help to secure containers regardless of their mode of operation.
|
||||
|
||||
**To determine the privilege mode from outside the container:**
|
||||
|
||||
```
|
||||
$ podman inspect --format="{{.HostConfig.Privileged}}" <container id>
|
||||
```
|
||||
|
||||
If the above command returns _true_ then the container is running in privileged mode. If it returns _false_ then the container is running in unprivileged mode.
|
||||
|
||||
**To determine the privilege mode from inside the container:**
|
||||
|
||||
```
|
||||
$ ip link add dummy0 type dummy
|
||||
```
|
||||
|
||||
If this command allows you to create an interface then you are running a privileged container. Otherwise you are running an unprivileged container.
|
||||
|
||||
### Capabilities
|
||||
|
||||
Namespaces isolate a container’s processes from arbitrary access to the resources of its host and from access to the resources of other containers running on the same host. Processes within _privileged_ containers, however, might still be able to do things like alter the IP routing table, trace arbitrary processes, and load kernel modules. Capabilities allow one to apply finer-grained restrictions on what resources the processes within a container can access or alter; even when the container is running in privileged mode. Capabilities also allow one to assign privileges to an unprivileged container that it would not otherwise have.
|
||||
|
||||
For example, to add the _NET_ADMIN_ capability to an unprivileged container so that a network interface can be created inside of the container, you would run _podman_ with parameters similar to the following:
|
||||
|
||||
```
|
||||
[root@vm1 ~]# podman run -it --cap-add=NET_ADMIN centos
|
||||
[root@b27fea33ccf1 /]# ip link add dummy0 type dummy
|
||||
[root@b27fea33ccf1 /]# ip link
|
||||
```
|
||||
|
||||
The above commands demonstrate a _dummy0_ interface being created in an unprivileged container. Without the _NET_ADMIN_ capability, an unprivileged container would not be able to create an interface. The above commands demonstrate how to grant a capability to an unprivileged container.
|
||||
|
||||
Currently, there are about [39 capabilities][5] that can be granted or denied. Privileged containers are granted many capabilities by default. It is advisable to drop unneeded capabilities from privileged containers to make them more secure.
|
||||
|
||||
**To drop all capabilities from a container:**
|
||||
|
||||
```
|
||||
$ podman run -it -d --name mycontainer --cap-drop=all centos
|
||||
```
|
||||
|
||||
**To list a container’s capabilities:**
|
||||
|
||||
```
|
||||
$ podman exec -it 48f11d9fa512 capsh --print
|
||||
```
|
||||
|
||||
The above command should show that no capabilities are granted to the container.
|
||||
|
||||
**Refer to the _capabilities_ man page for a complete list of capabilities:**
|
||||
|
||||
```
|
||||
$ man capabilities
|
||||
```
|
||||
|
||||
**Use the _capsh_ command to list the capabilities you currently possess:**
|
||||
|
||||
```
|
||||
$ capsh --print
|
||||
```
|
||||
|
||||
As another example, the below command demonstrates dropping the _NET_RAW_ capability from a container. Without the _NET_RAW_ capability, servers on the internet cannot be pinged from within the container.
|
||||
|
||||
```
|
||||
$ podman run -it --name mycontainer1 --cap-drop=net_raw centos
|
||||
>>> ping google.com (will output error, operation not permitted)
|
||||
```
|
||||
|
||||
As a final example, if your container were to only need the _SETUID_ and _SETGID_ capabilities, you could achieve such a permission set by dropping all capabilities and then re-adding only those two.
|
||||
|
||||
```
|
||||
$ podman run -d --cap-drop=all --cap-add=setuid --cap-add=setgid fedora sleep 5 > /dev/null; pscap | grep sleep
|
||||
```
|
||||
|
||||
The _pscap_ command shown above should show the capabilities that have been granted to the container.
|
||||
|
||||
I hope you enjoyed this brief exploration of how capabilities are used to secure Podman containers.
|
||||
|
||||
Thank You!
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://fedoramagazine.org/podman-with-capabilities-on-fedora/
|
||||
|
||||
作者:[shiwanibiradar][a]
|
||||
选题:[lujun9972][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://fedoramagazine.org/author/shiwanibiradar/
|
||||
[b]: https://github.com/lujun9972
|
||||
[1]: https://fedoramagazine.org/wp-content/uploads/2018/10/podman-816x345.jpg
|
||||
[2]: https://www.linuxjournal.com/magazine/making-root-unprivileged
|
||||
[3]: https://linuxcontainers.org/lxc/security/#privileged-containers
|
||||
[4]: https://github.com/containers/podman/blob/master/rootless.md
|
||||
[5]: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
115
translated/tech/20201116 Podman with capabilities on Fedora.md
Normal file
115
translated/tech/20201116 Podman with capabilities on Fedora.md
Normal file
@ -0,0 +1,115 @@
|
||||
[#]: collector: (lujun9972)
|
||||
[#]: translator: (geekpi)
|
||||
[#]: reviewer: ( )
|
||||
[#]: publisher: ( )
|
||||
[#]: url: ( )
|
||||
[#]: subject: (Podman with capabilities on Fedora)
|
||||
[#]: via: (https://fedoramagazine.org/podman-with-capabilities-on-fedora/)
|
||||
[#]: author: (shiwanibiradar https://fedoramagazine.org/author/shiwanibiradar/)
|
||||
|
||||
在 Fedora 中使用 Podman 结合 Capabilities
|
||||
======
|
||||
|
||||
![][1]
|
||||
|
||||
容器化是一项蓬勃发展的技术。在不久的将来,多达百分之七十五的全球组织可能会运行某种类型的容器化技术。由于广泛使用的技术更容易成为黑客攻击的目标,因此保护容器的安全就显得尤为重要。本文将演示如何使用 [POSIX Capabilities][2] 来保护 Podman 容器的安全。Podman 是 RHEL8 中默认的容器管理工具。
|
||||
|
||||
### 确定 Podman 容器的权限模式
|
||||
|
||||
容器以特权模式或无特权模式运行。在特权模式下,[容器的 uid 0 被映射到主机的 uid 0][3]。对于某些情况,无特权的容器[缺乏对主机资源的充足访问][4]。包括强制访问控制(apparmor、SELinux)、seccomp 过滤器、删除 Capabilities 和命名空间在内的技有助于确保容器的安全,而不管其操作模式如何。
|
||||
|
||||
**要从容器外部确定特权模式:**
|
||||
|
||||
```
|
||||
$ podman inspect --format="{{.HostConfig.Privileged}}" <container id>
|
||||
```
|
||||
|
||||
如果上面的命令返回 _true_,那么容器在特权模式下运行。如果返回 _false_,那么容器在非特权模式下运行。
|
||||
|
||||
**要从容器内部确定特权模式:**
|
||||
|
||||
```
|
||||
$ ip link add dummy0 type dummy
|
||||
```
|
||||
|
||||
如果该命令允许你创建一个接口,那么你运行的是一个特权容器,否则你运行的是一个非特权容器。
|
||||
|
||||
### Capabilities
|
||||
|
||||
命名空间隔离了容器的进程,使其无法任意访问主机的资源,也无法访问在同一主机上运行的其他容器的资源。然而,在_特权_容器内的进程仍然可以做一些事情,如改变 IP 路由表、跟踪任意进程和加载内核模块。Capabilities 允许人们对容器内的进程可以访问或更改的资源施加更细微的限制,即使容器在特权模式下运行也一样。Capabilities 还允许人们为无特权的容器分配它本来不会拥有的特权。
|
||||
|
||||
例如,如果要将 _NET_ADMIN_ 功能添加到一个无特权的容器中,以便在容器内部创建一个网络接口,你可以用下面的参数运行 _podman_:
|
||||
|
||||
```
|
||||
[root@vm1 ~]# podman run -it --cap-add=NET_ADMIN centos
|
||||
[root@b27fea33ccf1 /]# ip link add dummy0 type dummy
|
||||
[root@b27fea33ccf1 /]# ip link
|
||||
```
|
||||
|
||||
上面的命令演示了在一个无特权的容器中创建一个_dummy0_ 接口。如果没有 _NET_ADMIN_ Capability,非特权容器将无法创建接口。上面的命令演示了如何将一个 Capability 授予一个无特权的容器。
|
||||
|
||||
目前,大约有 [39 种 Capabilities][5] 可以被授予或拒绝。特权容器默认会被授予许多 Capability。建议从特权容器中删除不需要的 Capability,以使其更加安全。
|
||||
|
||||
**要从容器中删除所有 Capability:**
|
||||
|
||||
```
|
||||
$ podman run -it -d --name mycontainer --cap-drop=all centos
|
||||
```
|
||||
|
||||
**列出一个容器的 Capability:**
|
||||
|
||||
```
|
||||
$ podman exec -it 48f11d9fa512 capsh --print
|
||||
```
|
||||
|
||||
上述命令显示没有向容器授予任何 Capability。
|
||||
|
||||
**请参考 _capabilities_ 手册页以获取完整的 Capability 列表:**
|
||||
|
||||
```
|
||||
$ man capabilities
|
||||
```
|
||||
|
||||
**使用 _capsh_ 命令来列出目前拥有的 Capability:**
|
||||
|
||||
```
|
||||
$ capsh --print
|
||||
```
|
||||
|
||||
作为另一个例子,下面的命令演示了如何从容器中删除 _NET_RAW_ Capability。如果没有 _NET_RAW_ Capability,就不能从容器中 ping 互联网上的服务器。
|
||||
|
||||
```
|
||||
$ podman run -it --name mycontainer1 --cap-drop=net_raw centos
|
||||
>>> ping google.com (will output error, operation not permitted)
|
||||
```
|
||||
|
||||
最后一个例子,如果你的容器只需要 _SETUID_ 和 _SETGID_ 功能,你可以删除所有 Capability,然后只重新添加这两个 Capability 来实现这样的权限设置。
|
||||
|
||||
```
|
||||
$ podman run -d --cap-drop=all --cap-add=setuid --cap-add=setgid fedora sleep 5 > /dev/null; pscap | grep sleep
|
||||
```
|
||||
|
||||
上面的 _pscap_ 命令会显示容器被授予的 Capability。
|
||||
|
||||
我希望你喜欢这个关于如何使用 Capabilities 来保护 Podman 容器的简短探索。
|
||||
|
||||
谢谢!
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: https://fedoramagazine.org/podman-with-capabilities-on-fedora/
|
||||
|
||||
作者:[shiwanibiradar][a]
|
||||
选题:[lujun9972][b]
|
||||
译者:[译者ID](https://github.com/译者ID)
|
||||
校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
|
||||
|
||||
[a]: https://fedoramagazine.org/author/shiwanibiradar/
|
||||
[b]: https://github.com/lujun9972
|
||||
[1]: https://fedoramagazine.org/wp-content/uploads/2018/10/podman-816x345.jpg
|
||||
[2]: https://www.linuxjournal.com/magazine/making-root-unprivileged
|
||||
[3]: https://linuxcontainers.org/lxc/security/#privileged-containers
|
||||
[4]: https://github.com/containers/podman/blob/master/rootless.md
|
||||
[5]: https://man7.org/linux/man-pages/man7/capabilities.7.html
|
Loading…
Reference in New Issue
Block a user