Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
章 11. Linux Containers
The Docker project is an open-source project that automates the deployment of applications inside Linux Containers, and provides the capability to package an application with its runtime dependencies into a container. It provides a command-line tool for the life cycle management of image-based containers. Linux containers enable rapid application deployment, simpler testing, maintenance, and troubleshooting while improving security. Using Red Hat Enterprise Linux 7 with containers allows customers to increase staff efficiency, deploy third-party applications faster, enable a more agile development environment, and manage resources more tightly.
To quickly get up-and-running with docker formatted containers, refer to Get Started with docker Formatted Containers.
Red Hat Enterprise Linux 7.1 ships with docker version 1.4.1, which includes a number of new features, security fixes, patches and changes. Highlights include:
- The ENV instruction in the Dockerfile now supports arguments in the form of ENV name=value name2=value2 ...
- An experimental overlayfs storage driver has been introduced.
- An update is included for CVE-2014-9356: Path traversal during processing of absolute symlinks. Absolute symlinks were not adequately checked for traversal which created a vulnerability via image extraction and/or volume mounts.
- An update is included for CVE-2014-9357: Escalation of privileges during decompression of LZMA (.xz) archives. Docker 1.3.2 added chroot for archive extraction. This created a vulnerability that could allow malicious images or builds to write files to the host system and escape containerization, leading to privilege escalation.
- An update is included for CVE-2014-9358: Path traversal and spoofing opportunities via image identifiers. Image IDs passed either via docker load or registry communications were not sufficiently validated. This created a vulnerability to path traversal attacks wherein malicious images or repository spoofing could lead to graph corruption and manipulation.
Red Hat provides platform container images for building applications on both Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7.
Red Hat 也提供 Kubernetes 用來協調 container。欲知 Kubernetes 的詳情,請參閱〈Get Started Orchestrating Docker Containers with Kubernetes〉一文。
Linux containers are supported running on hosts with SELinux enabled. SELinux is not supported when the
/var/lib/docker directory is located on a volume using the B-tree file system (Btrfs).
11.1. Components of docker Formatted Containers
The docker container format works with the following fundamental components:
- Container – 應用程式沙箱。每個 container 都基礎於存有必要配置資料的一個「映像檔」中。當您從映像檔中啟動 container 時,可寫入的階層會加到映像檔的上方。每次要寫入 container(使用
docker commit命令)時,新的映像檔階層就會被加入,以儲存變更。 - 映像檔(image)– container 配置的靜態 snapshot。映像檔是唯讀的階層,永遠不會被修改;所有變更都會在最上方的可寫入階層中進行,只有建立新的映像檔時才能存檔。每個映像檔都依賴一或多個父映像檔。
- Platform Container Image – an image that has no parent. Platform container images define the runtime environment, packages, and utilities necessary for a containerized application to run. The platform image is read-only, so any changes are reflected in the copied images stacked on top of it. See an example of such stacking in 圖形 11.1, “使用 Docker 格式的映像檔階層”.
- 註冊處(Registry)– 映像檔的儲存地。註冊處是公開或私有的軟體庫,包含了可供下載的映像檔。一些註冊處允許使用者上傳映像檔,好與其它使用者分享。
- Dockerfile – 擁有建立 Docker 映像檔的指示之配置檔。Dockerfile 提供了自動化、重複使用、共享建立步驟的方式。
圖形 11.1. 使用 Docker 格式的映像檔階層
