Docker Container Hardening Method Based On Trusted Computing

Docker is a lightweight virtualization technology.Compared with traditional virtualization methods,the application process in the Docker container runs directly on the host's kernel.It does not have its own kernel inside and does not perform hardware virtualization.Therefore,docker containers are more portable than traditional virtual machine virtualization methods.But neither the Docker container technology nor the underlying Linux kernel technology it relies on is yet mature,far from being tried and tested like the virtual machine technology.At least for now,containers have not yet provided the same level of security assurance as virtual machines.In view of the incomplete isolation of docker,the image file is easily tampered with,and the container is not safe to run.Based on the analysis of the existing isolation mechanism and security enhancement technology of Docker containers,this paper uses trusted computing technology to propose a This method of strengthening Docker containers builds a chain of trust throughout the entire life cycle of the container,thus ensuring that Docker is in a trusted and secure environment from the image download to the container startup.This article separately measures and hardens Docker during image download and container runtime.For the mirror image,this article conducts a three-part measurement to build a trust chain transfer.In the image download stage,the image signature mechanism is used to ensure that the downloaded image has not been tampered with in the warehouse.After the image is downloaded locally,use the image scanner to troubleshoot the image itself.Before the container is started,the image file is measured by a password algorithm to avoid tampering with the local image file.After the container is started,it is divided into two parts.One part is to dynamically measure Docker by building a container monitoring platform,and use cadvisor +influxdb + grafana to monitor the resources used by the container.The other part strengthens container isolation by restricting container capabilities,including restricting container networking,setting process blacklists to limit the internal use of containers,and limiting CPU usage,application resource restrictions,memory usage restrictions,and file system restrictions.Reinforcement of containers.