A scalable secure implementation of Docker runtime functionality for CentOS container and MariaDB container using Linux capabilities, SELinux and seccomp profiles. Base images were stripped down using Dockerslim and hardened to run as non-root users.
- 1. Create different network for containers
- 2. Set IP Addresses
- 3. Set hostnames
- 4. Set IP mapping with hostnames
- 5. Set port mapping with host machines
- 6. Set cpu cores
- 7. Set limited memory
- 8. Set memory swap
- 9. Limit pids
- 10. Set auto restarts
- 11. Set the container to be read only
- 12. Set writable temporary file systems that are required
- 13. Mount read only volumes
- 14. Set read, write output directory for stracing
- 15. Drop all capabilities and add only the required capabilities
- 16. Set name of the container
- 1. Set SELinux policies
- 2. Set seccomp profile
- 1. Strip the images to their bare minimum size
- 2. Add privilege escalation protection
- 3. No root inside dbserver container
- 4. Image stripping using dockerslim
- 5. Pushed images to registry
-
gcr.io/u2185920/csvs2022-db_i -
gcr.io/u2185920/csvs2022-web_i -
gcr.io/u2185920/csvs2022-db_i:stripped -
gcr.io/u2185920/csvs2022-web_i:stripped
-