The Design And Implementation Of Security Isolation System About Docker Virtualization

With the rapid development of computer technology,cloud computing has had a profound impact on all walks of life,and with the wide application of cloud computing,virtualization technology based on resource pooling has also developed rapidly.Docker is emerging as an operating system-level virtualization solution that gradually replaces traditional virtualization solutions and is widely used by major cloud service providers and the Internet organizations.However,while Docker has been widely used for its own advantages,it has also leaked more and more defects,such as poor isolation,incomplete isolation,etc.,leading to the occurrence of container escape,container and host computer defects,user data leakage and other security issues.In addition,the traditional security solutions such as SELinux have high security,but due to their own complicated implementation,poor compatibility,and inconvenient management,they cannot adapt to Docker's isolation and sharing of shared data volume files.Therefore,the isolation of containers in Docker and efficient and secure shared file isolation is a problem that Docker security solutions need to solve.This thesis designs and implements a mandatory access control system CMAC(Container based MAC)based on LSM for the security issues facing Docker.The CMAC system includes two parts,the container process isolation and the shared data volume isolation,which is intended to protect the host machine file and the container's read-write layer image and achieve the safe sharing and isolation of files between the containers.In terms of container process isolation,CMAC implements an access control systems that a container can be only allowed to access the readable and writable layer images which it belongs to,be prevented to files that do not belong to its own readable and writable layer images and the host machine's restricted access lists.In terms of container shared data volume isolation,CMAC proposes an isolation scheme for sharing files,basing on the fact that Docker containers can share files quickly by sharing data volumes.In this scheme,CMAC groups the containers in the host machine,by giving each container an id between groups and a level id within the group.Containers that do not belong to the same group cannot access each other.Containers in the same group can be allowed to access the other containers according to the security level within the group.Finally,this thesis gives the detail designs and implementation process of CMAC and the final test results.In a word,the whole research of the thesis includes:(1).For the security issues of Docker,a mandatory access control system named CMAC was designed and implemented based on LSM.The CMAC system implemented container process isolation and shared data volume isolation.(2).In the Docker virtualization environment,the thesis presents the design and implementation of the CMAC mandatory access control system and tests the functionality and performance of the system.In general,the CMAC mandatory access system completes the isolation of container processes and the isolation of shared data volumes,effectively protects the security of host files and container image files,and enables flexible and efficient data sharing between the containers.