菜单
平台

Rootless containers

NOT ON THE CURRENT EDITION
This blip is not on the current edition of the radar. If it was on one of the last few editions it is likely that it is still relevant. If the blip is older it might no longer be relevant and our assessment might be different today. Unfortunately, we simply don't have the bandwidth to continuously review blips from previous editions of the radarUnderstand more
Nov 2019
评估?

理想情况下,容器应该由各自的容器运行时管理和运行,而不应具有root权限。这不是小事,当它实现时,能够减少攻击面并避免所有类型的安全问题,特别是容器外的权限升级。无根容器在社区被讨论了很长时间,它是开放容器运行时规范及其标准实现runc的一部分,而runc是Kubernetes的基础。现在,Docker 19.03将无根容器作为一个实验性特性引入。尽管功能齐全,该特性还不能与其他部分特性兼容,比如cgroups资源控制和AppArmor安全配置文件。