Research And Application On The Breakouts Monitoring Technology Of Docker Container

With the rapid development of cloud computing,the use of Docker has become more widespread.When many companies began to adopt Docker,potential security issues followed.Among the various security problems of Docker,there has been no suitable solution to the container breakouts.Therefore,research on Docker container breakouts monitoring technology has important practical significance.Based on this background,this thesis starts to study the container breakouts monitoring and reinforcement scheme of Docker and proposes the CFMAC(Container based on Fuzzy Mandatory Access Control)model.The model is mainly divided into two parts: monitoring and control.In the aspect of monitoring,by analyzing the common points of the existing cases of container breakouts,the monitoring scheme is put forward.For the control of Docker container breakouts,the security of docker container is improved by limiting the access rights of the container breakouts process to the file.First of all,this thesis is based on the traditional Mandatory Access Control model BLP(Bell-La Padula)model,combined with the actual needs of Docker security reinforcement,from the perspective of the Docker container,the host files are divided into three categories,and combined with fuzzy cluster analysis and risk matrix analysis to divide the security level of the subject and object.On this basis,the overall design of the model was based on the current most widely used Docker container workload management platform Kubernetes,and the goal of access control of the CFMAC model in a single-machine environment and a cluster environment was clarified.Subsequently,based on existing container breakouts cases,the characteristics of container breakouts are analyzed,and a detailed container breakouts monitoring program is given.Use existing reproducible typical container breakouts cases to test the monitoring program.The test results show that the container breakouts process can be successfully monitored,and timely feedback is sent to the administrator.And based on the LSM(Linux Security Model),the detailed design and implementation of the control scheme are launched.Finally,recompile the Linux kernel and successfully replace the kernel of the Centos7 system.And built a Kubernetes cluster,divided into one computer environment and a cluster environment to test the CFMAC system.The test results achieved the expected results,successfully restricting the access of the container breakouts process to related files and the impact on performance is low.Realize the security reinforcement of Docker containers and improve the security of the containers.