隨著雲端技術快速發展，容器技術成為耀眼的新星，而在眾多的容器軟體中Docker是目前最熱門的選擇，但Docker本身並不是為了安全而設計，裡面存在不少資訊安全議題。

在這篇研究中，我們設計出一個系統裡面整合了：使用者權限管理、映像檔漏洞檢查、動態資源分配，我們加入了使用者身份鑑別系統，來管理不同使用者的服務，使用Clair這個開源套件來輔助系統判斷映象檔中的漏洞，最後設計出一套動態資源分配演算法，同時解決阻斷服務攻擊以及使用者資源公平分配。我們的系統不但提升Docker的安全性，也讓不具備Docker權限的使用者能透過此系統來使用Docker服務，達到「Docker及服務」的概念。

Containerization technology is getting attention in the cloud based IT environments. Docker is the most popular one of container software. However, Docker is not a security-oriented design. There are many security issues in Docker platform.

In this paper we build up a system that integrates user access control, image vulnerability check, and dynamic resource allocation. We use "name prefix" to achieve user access control. We use Clair to achieve image vulnerability check. We design a dynamic resource allocation algorithm to prevent DoS attack and achieve fair sharing. This system not only secures the Docker service, but also lets non-root user to use Docker service. Thereby Docker becomes an secure and general service.

Table of Contents i
List of Figures iii
List of Tables iv
1 Introduction 1
1.1 Motivation 1
1.2 Contribution 2
1.3 Organization 2
2 Background 3
2.1 Containerization 3
2.1.1 Namespaces 4
2.1.2 Controlgroups 4
2.1.3 Unionfilesystems 4
2.1.4 Kernelsecuritysystem 4
2.2 Docker 5
2.2.1 DockerEngine 5
2.2.2 DockerHub 6
3 Related work 7
3.1 Privilegeescalation 7
3.1.1 Escalating privilege with illegal options 7
3.1.2 Escapingfromthecontainer 8
3.2 Imagevulnerability 8
3.3 Denialofservice 9
4 System Design 10
4.1 AccessControl 10
4.1.1 UserAccessControl 10
4.1.2 VolumeAccessControl 11
4.1.3 SecurityOptions 11
4.2 ImageSecurity 11
4.3 ResourceAllocation 12
5 Implementation 13
5.1 DevelopmentEnvironment 13
5.2 AccessControl 13
5.2.1 UserAccessControl 14
5.2.2 VolumeAccessControl 14
5.2.3 SecurityOptions 15
5.3 ImageSecurity 15
5.4 DynamicResourceAllocation 17
6 Experimental Evaluation 20
6.1 DynamicResourceAllocation 20
6.2 Performance 22
7 Conclusion 24
7.1 Conclusion 24
7.2 Futurework 24

[1] Containerization. https://en.wikipedia.org/wiki/Containerization.
[2] Devops. https://en.wikipedia.org/wiki/DevOps.
[3] Docker. https://www.docker.com/.
[4] Clair. https://coreos.com/clair/docs/latest/.
[5] J. C. Wang, W. F. Cheng, H. C. Chen, and H. L. Chien. Benefit of construct in- formation security environment based on lightweight virtualization technology. In 2015 International Carnahan Conference on Security Technology (ICCST), pages 1–4, Sept 2015.
[6] A. M. Joy. Performance comparison between linux containers and virtual ma- chines. In 2015 International Conference on Advances in Computer Engineering and Applications, pages 342–346, March 2015.
[7] Eric W Biederman and Linux Networx. Multiple instances of the global linux namespaces. In Proceedings of the Linux Symposium, volume 1, pages 101–112. Citeseer, 2006.
[8] Paul B Menage. Adding generic process containers to the linux kernel. In Proceedings of the Linux Symposium, volume 2, pages 45–57. Citeseer, 2007.
[9] Dirk Merkel. Docker: lightweight linux containers for consistent development and deployment. Linux Journal, 2014(239):2, 2014.
[10] Docker hub. https://hub.docker.com/.
[11] Namespaces in operation, part 5: User namespace. https://lwn.net/ Articles/532593/.
[12] J. Higgins, V. Holmes, and C. Venters. Securing user defined containers for scientific computing. In 2016 International Conference on High Performance Computing Simulation (HPCS), pages 449–453, July 2016.
[13] Thanh Bui. Analysis of docker security. CoRR, abs/1501.02967, 2015.
[14] Zhiqiang Jian and Long Chen. A defense method against docker escape attack. In Proceedings of the 2017 International Conference on Cryptography, Security and Privacy, ICCSP ’17, pages 142–146, New York, NY, USA, 2017. ACM.
[15] AmithRajMP,A.Kumar,S.J.Pai,andA.Gopal.Enhancingsecurityofdocker using linux hardening techniques. In 2016 2nd International Conference on Applied and Theoretical Computing and Communication Technology (iCATccT), pages 94–99, July 2016.
[16] Over 30% of official images in docker hub contain high priority security vulner- abilities. https://banyanops.com/blog/analyzing-docker-hub/.
[17] J. Chelladhurai, P. R. Chelliah, and S. A. Kumar. Securing docker containers from denial of service (dos) attacks. In 2016 IEEE International Conference on Services Computing (SCC), pages 856–859, June 2016.
[18] Representational state transfer. https://en.wikipedia.org/wiki/ Representational_state_transfer.
[19] Ali Ghodsi, Matei Zaharia, Benjamin Hindman, Andy Konwinski, Scott Shenker, and Ion Stoica. Dominant resource fairness: Fair allocation of multiple resource types. In Nsdi, volume 11, pages 24–24, 2011.
[20] J. Kay and P. Lauder. A fair share scheduler. Commun. ACM, 31(1):44–55, January 1988.