本文目录导读:

在Shell脚本中配置容器权限策略,主要涉及以下几个方面:
Docker容器的安全策略配置
用户权限设置
#!/bin/bash
# 创建非root用户运行容器
create_secure_container() {
docker run -d \
--name secure-app \
--user 1000:1000 \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--security-opt=no-new-privileges:true \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid \
nginx:alpine
}
# 使用特定用户运行
run_as_user() {
docker run -u $(id -u):$(id -g) ubuntu:latest whoami
}
能力管理
#!/bin/bash
# 容器能力配置
configure_capabilities() {
# 删除所有能力,只添加必要的
docker run \
--cap-drop=ALL \
--cap-add=NET_ADMIN \
--cap-add=NET_RAW \
--cap-add=SYS_TIME \
ubuntu:latest bash -c "whoami"
}
# 常见安全能力配置
configure_security_caps() {
local container_name=$1
docker run -d \
--name $container_name \
--security-opt=apparmor:unconfined \
--security-opt=seccomp=./seccomp-profile.json \
--cap-drop=ALL \
--cap-add=NET_ADMIN \
--cap-add=CHOWN \
--cap-add=DAC_OVERRIDE \
nginx:alpine
}
使用seccomp安全配置文件
创建seccomp配置文件
#!/bin/bash
# 生成seccomp配置文件
create_seccomp_profile() {
cat > seccomp-profile.json << 'EOF'
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64"
],
"syscalls": [
{
"names": [
"accept",
"bind",
"chdir",
"chmod",
"clone",
"close",
"connect",
"creat",
"dup",
"epoll_create",
"epoll_wait",
"execve",
"exit",
"exit_group",
"fchdir",
"fchmod",
"fcntl",
"flock",
"fstat",
"fsync",
"ftruncate",
"getcwd",
"getdents",
"getegid",
"geteuid",
"getgid",
"getpeername",
"getpid",
"getuid",
"ioctl",
"listen",
"lseek",
"mkdir",
"mmap",
"mprotect",
"munmap",
"nanosleep",
"open",
"openat",
"poll",
"read",
"readlink",
"recvfrom",
"recvmsg",
"rename",
"rmdir",
"sendto",
"sendmsg",
"set_robust_list",
"setsockopt",
"shutdown",
"sigaltstack",
"socket",
"stat",
"sysinfo",
"time",
"uname",
"unlink",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
EOF
}
# 应用seccomp配置
apply_seccomp() {
local container_name=$1
docker run -d \
--name $container_name \
--security-opt seccomp=./seccomp-profile.json \
nginx:alpine
}
AppArmor配置
创建AppArmor配置文件
#!/bin/bash
# 生成AppArmor配置文件
create_apparmor_profile() {
local profile_name="docker-custom-profile"
cat > /etc/apparmor.d/$profile_name << 'EOF'
#include <tunables/global>
profile docker-custom-profile flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
network tcp,
network udp,
network unix,
/etc/nginx/** r,
/var/log/nginx/** rw,
/var/run/nginx.pid rwk,
deny /etc/shadow r,
deny /etc/gshadow r,
deny /root/** r,
capability,
capability net_bind_service,
set rlimit,
}
EOF
}
# 加载AppArmor配置文件
load_apparmor_profile() {
local profile_name=$1
# 加载配置文件
apparmor_parser -r -W /etc/apparmor.d/$profile_name
# 启用配置
aa-enforce $profile_name
# 运行容器时使用该配置
docker run -d \
--name container-with-apparmor \
--security-opt apparmor=$profile_name \
nginx:alpine
}
资源和安全限制配置
#!/bin/bash
# 限制资源使用
configure_resource_limits() {
docker run -d \
--name limited-container \
--memory="512m" \
--memory-swap="1g" \
--cpus="0.5" \
--pids-limit=100 \
--ulimit nofile=1024:2048 \
--ulimit nproc=50:100 \
nginx:alpine
}
# 文件系统只读限制
configure_filesystem_restrictions() {
docker run -d \
--name read-only-container \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=100m \
--tmpfs /var/run:rw,noexec,nosuid,size=50m \
nginx:alpine
}
# 网络权限限制
configure_network_restrictions() {
# 创建自定义网络
docker network create --driver bridge --internal private-net
# 运行容器在隔离网络中
docker run -d \
--name network-restricted \
--network private-net \
--ip 172.20.0.10 \
no-new-privileges:true \
nginx:alpine
}
Kubernetes Pod安全策略
#!/bin/bash
# 创建Pod安全策略
create_pod_security_policy() {
cat << 'EOF' | kubectl apply -f -
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-psp
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: true
EOF
}
# 应用Pod安全策略
apply_pod_security_policy() {
local namespace=$1
# 创建RoleBinding
cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: psp-binding
namespace: $namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:restricted
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:serviceaccounts:$namespace
EOF
}
容器运行时配置检查
#!/bin/bash
# 安全检查函数
check_security_config() {
local container_name=$1
echo "=== 检查容器安全配置 ==="
# 检查用户权限
echo "用户信息:"
docker exec $container_name id
# 检查能力
echo "能力配置:"
docker inspect $container_name --format '{{.HostConfig.CapAdd}}'
docker inspect $container_name --format '{{.HostConfig.CapDrop}}'
# 检查只读文件系统
echo "只读文件系统:"
docker inspect $container_name --format '{{.HostConfig.ReadonlyRootfs}}'
# 检查特权模式
echo "特权模式:"
docker inspect $container_name --format '{{.HostConfig.Privileged}}'
}
# 应用安全最佳实践
apply_security_best_practices() {
local image=$1
local container_name=$2
docker run -d \
--name $container_name \
--user 1000:1000 \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--security-opt=no-new-privileges:true \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=100m \
--tmpfs /var/run:rw,noexec,nosuid,size=50m \
--tmpfs /var/log:rw,noexec,nosuid,size=50m \
--restart=unless-stopped \
$image
}
完整的配置脚本示例
#!/bin/bash
# 完整的容器安全配置脚本
setup_secure_container() {
local container_name=$1
local image=$2
# 参数验证
if [ -z "$container_name" ] || [ -z "$image" ]; then
echo "用法: setup_secure_container <container_name> <image>"
exit 1
fi
# 创建自定义网络
docker network create --driver bridge --internal secure-net 2>/dev/null || true
# 运行安全容器
docker run -d \
--name $container_name \
--network secure-net \
--user 1000:1000 \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--security-opt=no-new-privileges:true \
--security-opt=seccomp=./seccomp-profile.json \
--read-only \
--tmpfs /tmp:rw,noexec,nosuid,size=100m \
--tmpfs /var/run:rw,noexec,nosuid,size=50m \
--tmpfs /var/log:rw,noexec,nosuid,size=50m \
--memory="512m" \
--cpus="0.5" \
--pids-limit=100 \
--ulimit nofile=1024:2048 \
--restart=unless-stopped \
-v /custom/path:/mnt:ro \
$image
# 验证配置
if [ $? -eq 0 ]; then
echo "安全容器配置成功: $container_name"
check_security_config $container_name
else
echo "容器配置失败"
exit 1
fi
}
# 主函数
main() {
# 创建seccomp配置文件
create_seccomp_profile
# 设置安全容器
setup_secure_container "secure-app" "nginx:alpine"
}
# 执行主函数
main
安全配置检查清单
#!/bin/bash
# 安全配置检查
security_audit() {
local container_name=$1
echo "========== 安全配置审计 =========="
# 检查是否以root用户运行
local user=$(docker exec $container_name id -u)
if [ "$user" = "0" ]; then
echo "⚠️ 警告: 容器以root用户运行"
else
echo "✓ 容器以非root用户运行: $user"
fi
# 检查特权模式
local privileged=$(docker inspect $container_name --format '{{.HostConfig.Privileged}}')
if [ "$privileged" = "true" ]; then
echo "⚠️ 警告: 容器运行在特权模式"
else
echo "✓ 特权模式已禁用"
fi
# 检查能力配置
local cap_add=$(docker inspect $container_name --format '{{.HostConfig.CapAdd}}')
local cap_drop=$(docker inspect $container_name --format '{{.HostConfig.CapDrop}}')
echo "额外能力: $cap_add"
echo "删除能力: $cap_drop"
# 其他安全检查...
}
这些脚本示例展示了如何在Shell脚本中配置和管理容器权限策略,根据实际需求调整配置参数,并始终遵循最小权限原则。