Container related concepts

The image starts as a container

Container arrangement ： Cluster management tool

A well-known container choreography tool ：Kubernetes、Apache Mesos、Docker Swarm、Openshift、Rancher etc.

The concept of microservice ： Microservice is to split all modules in a complete application into multiple different services , Each of these services can be deployed independently 、 Maintenance and expansion , Services usually go through RESTful API signal communication , These services are built around business capabilities , And each service can use different programming languages and different data storage technologies .

Microservice governance framework ：Dubbo、Spring Cloud、 Service Grid （ Light agent ）

Serverless: Build and run applications and services without considering the server . Realize the design principle of separating business logic implementation from infrastructure . Realization way ：BaaS(Backend as a Service Back end as a service ） and FaaS(Functions as a Service Functions are services ）

The risks of container mirroring ： Unsafe third-party components （ There are loopholes in the mirror ）、 The malicious image that spreads wildly 、 Sensitive information that is easily leaked （ Database password 、 certificate 、 Private keys are packaged into images and uploaded to the Internet ）

Risks of moving containers ：

1、 Unsafe container applications （ Vulnerable containers , Mapped port ）

2、 Unrestricted resource sharing （ By default, the resources of the host machine can be used indefinitely , Lead to exhaustion of resources ）

3、 Unsafe configuration and mounting

    --privileged: The container will not be affected Seccomp And other security mechanisms , In container root Permissions will become the same as root Permissions are the same

    --net=host: The container will be in the same network namespace as the host （ Network isolation is broken ）

    --pid=host: The container will be in the same process namespace as the host （ Process isolation is broken ）

    --volume /:/host: The host root directory will be mounted inside the container （ File system isolation is broken ）

The risks of container network ：

CAP_NET_RAW Permission has the ability to construct and send ICMP、ARP The ability to wait for messages , Easy to happen ARP cheating 、DNS Hijacking and other middleman attacks