'%20fill='%23C31D20'%20fill-rule='nonzero'%3e%3cpath%20d='M7.55269822,13.7609409%20C10.8552199,9.97176134%2014.2271223,7.63452926%2017.1034483,6.5677512%20L17.0816429,0.884990191%20C17.0593112,0.508963963%2016.8188535,0.182653682%2016.4703158,0.055395956%20C16.1217781,-0.0718617705%2015.7322263,0.0244201241%2015.4799397,0.300178022%20L12.9584465,3.07097775%20L0.368821458,17.4916392%20C0.0232151224,17.8857306%20-0.0894678188,18.437454%200.0732192079,18.9389805%20C0.235906234,19.4405071%200.649247199,19.815643%201.15754056,19.9230783%20C1.66583392,20.0305135%202.19185783,19.853926%202.53746417,19.4598346%20L7.5467513,13.7690073%20L7.55269822,13.7609409%20Z'%20id='路径'%3e%3c/path%3e%3cpath%20d='M10.6896552,12.0927463%20L15.1004089,17.5535201%20C15.4511303,17.8402432%2015.9409156,17.8973222%2016.3502521,17.6991755%20C16.7595885,17.5010287%2017.0117165,17.0848129%2016.993637,16.6370685%20L17.1034483,10.0202479%20C14.5615201,9.75868982%2012.477139,10.7130773%2010.6896552,12.0927463%20Z'%20id='路径'%3e%3c/path%3e%3c/g%3e%3crect%20id='矩形'%20x='0'%20y='0'%20width='24'%20height='24'%3e%3c/rect%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
主机安全加固
- 为容器创建单独分区。Docker的默认目录是“/var/lib/docker”,建议为Docker创建单独的磁盘分区,避免容器占用的磁盘容量和主机其他应用使用的磁盘容量相互影响。
- Docker主机必须进行加固。建议对运行Docker容器的主机进行安全加固,并定期进行漏洞扫描。
- 使用最新的Docker版本。建议及时更新Docker的版本,规避Docker软件的已知漏洞。
- 只允许可信用户加入Docker用户组。Docker用户组的权限很大,加入Docker用户组的用户,拥有完全的root访问权限,具有较高的风险,建议只将必要的用户配置到Docker用户组中。
- 开启Docker守护进程和关键文件的审计功能。开启审计功能能够追溯攻击事件的根源,此功能开启后,会造成一定的性能影响,需要用户根据业务决定是否开启。
父主题: 容器安全加固(其他产品)
