Hei Habr!

Muchokwadi chemazuva ano, nekuda kwekuwedzera kwebasa rekuisa mumatanho ekusimudzira, nyaya yekuona kuchengetedzeka kwematanho akasiyana uye masangano ane hukama nemidziyo haisi panzvimbo yekupedzisira. Kuita cheki nemaoko ibasa rakaoma, saka zvingave zvakanaka kutora matanho ekutanga ekuita otomatiki maitiro aya.

Muchikamu chino, ini ndichagovera akagadzirira-akagadzirwa zvinyorwa zvekushandisa akati wandei Docker kuchengetedza zvinoshandiswa uye mirairo yekuti ungamisa sei diki demo stand kuti uedze maitiro aya. Iwe unogona kushandisa zvishandiso kuyedza maitiro ekuronga maitiro ekuyedza kuchengetedzeka kweDockerfile mifananidzo nemirayiridzo. Zviripachena kuti kusimudzira uye kuita zvivakwa zvakasiyana kune wese munhu, saka pazasi ini ndinopa akati wandei sarudzo.

Chengetedzo Chengetedza Zvishandiso

Kune huwandu hukuru hweakasiyana mashandisirwo emubatsiri uye zvinyorwa zvinoita cheki pane akasiyana maficha eDocker zvivakwa. Zvimwe zvacho zvakatotsanangurwa munyaya yapfuura (https://habr.com/ru/company/swordfish_security/blog/518758/#docker-security), uye muchinyorwa chino ndinoda kutarisa pane zvitatu zvadzo, izvo zvinovhara huwandu hwezvinhu zvekuchengetedza zveDocker mifananidzo inovakwa panguva yekuvandudza maitiro. Pamusoro pezvo, ini ndicharatidzawo muenzaniso wekuti izvi zvitatu zvinoshandiswa zvinogona kusanganiswa kuita pombi imwe chete kuita cheki chekuchengetedza.

Hadolint
https://github.com/hadolint/hadolint

Iyo yakapfava yakapfava yekushandisa iyo inobatsira kutanga yaongorora iko kurongeka uye kuchengetedzeka kweDockerfile mirairo (semuenzaniso, kushandisa chete inotenderwa mifananidzo registries kana kushandisa sudo).

Dockle
https://github.com/goodwithtech/dockle

Iyo console utility inoshanda pamufananidzo (kana pane yakachengetwa tarball yemufananidzo) inotarisa iko kurongeka uye kuchengetedzeka kwechimwe chifananidzo sekudaro nekuongorora marongero ayo uye nekumisikidzwa - izvo vashandisi vanogadzirwa, ndeapi mirairo iri kushandiswa, ndeapi mavhoriyamu akaiswa. , kuvapo kwepassword isina chinhu, nezvimwewo e. Nepo huwandu hwecheki husina kunyanyokura uye hwakavakirwa pane akati wandei echeki uye kurudziro. CIS (Center for Internet Security) Benchmark zve docker.

Trivy
https://github.com/aquasecurity/trivy

Ichi chishandiso chine chinangwa chekutsvaga marudzi maviri ekusagadzikana - OS kuvaka matambudziko (Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu anotsigirwa) uye matambudziko ekuvimba (Gemfile.lock, Pipfile.lock, composer.lock, package-lock .json , yarn.lock, Cargo.lock). Trivy inogona kuongorora zvese zviri zviviri mufananidzo uri mudura nemufananidzo wenzvimbo, uye zvakare scan zvichibva pane yakatamiswa .tar faira ine Docker mufananidzo.

Utilities Implementation Options

Kuti uedze iwo akatsanangurwa maapplication ari ega mamiriro, ini ndinopa mirairo yekuisa zvese zvinoshandiswa sechikamu chemaitiro akareruka.

Pfungwa huru ndeye kuratidza maitiro aungaite otomatiki yemukati yekutarisa yeDockerfiles uye Docker mifananidzo inogadzirwa panguva yekusimudzira.

Iyo verification pachayo ine matanho anotevera:

Kutarisa iko kurongeka uye kuchengetedzeka kweDockerfile mirairo ine linter utility Hadolint
Kuongorora kurongeka uye kuchengetedzwa kwemifananidzo yekupedzisira uye yepakati - chinhu chinobatsira Dockle
Kutsvaga Kuzivikanwa Kunozivikanwa Kusagadzikana (CVE) mumufananidzo wepasi uye huwandu hwekutsamira - nekushandisa. Trivy

Gare gare muchinyorwa ini ndinopa matatu sarudzo dzekuita aya matanho:
Yekutanga ndeyekugadzirisa iyo CI / CD pombi uchishandisa muenzaniso weGitLab (ine tsananguro yemaitiro ekusimudza bvunzo).
Yechipiri iri kushandisa shell script.
Yechitatu ndeyekuvaka mufananidzo weDocker wekutarisa mifananidzo yeDocker.
Iwe unogona kusarudza iyo sarudzo inonyatsokunakira iwe, iendese kune yako masisitimu uye igadzirise kune zvaunoda.

Ese mafaera anodiwa uye mamwe mirairo ari zvakare mune repository: https://github.com/Swordfish-Security/docker_cicd

GitLab CI/CD kubatanidzwa

Musarudzo yekutanga, isu tichatarisa kuti macheki ekuchengetedza angaitwe sei uchishandisa GitLab repository system semuenzaniso. Pano isu tichapfuura nematanho uye toona maitiro ekumisikidza nharaunda yekuyedza neGitLab kubva kutanga, gadzira maitiro ekuongorora uye mhanyisa zvishandiso kuyedza Dockerfile yekuyedza uye mufananidzo wakasarudzika - iyo JuiceShop application.

Kuisa GitLab
1. Isa Docker:

sudo apt-get update && sudo apt-get install docker.io

2. Wedzera mushandisi aripo kuboka re docker kuti ugone kushanda nedocker usingashandisi sudo:

sudo addgroup <username> docker

3. Tsvaga IP yako:

ip addr

4. Isa uye mhanyisa GitLab mumudziyo, uchitsiva IP kero muzita remugamuchiri neyako:

docker run --detach 
--hostname 192.168.1.112 
--publish 443:443 --publish 80:80 
--name gitlab 
--restart always 
--volume /srv/gitlab/config:/etc/gitlab 
--volume /srv/gitlab/logs:/var/log/gitlab 
--volume /srv/gitlab/data:/var/opt/gitlab 
gitlab/gitlab-ce:latest

Isu takamirira GitLab kuti ipedze ese anodiwa ekuisa maitiro (unogona kutevedzera maitiro kuburikidza nekubuda kweiyo log faira: docker logs -f gitlab).

5. Vhura IP yako yemunharaunda mubrowser uye ona peji inopa kushandura password yemushandisi wemidzi:

Seta password nyowani uye enda kuGitLab.

6. Gadzira purojekiti itsva, semuenzaniso cicd-test uye tanga nayo nekutanga faira README.md:

7. Iye zvino tinoda kuisa GitLab Runner: mumiririri anozoita mabasa ose anodiwa pakukumbira.
Dhawunirodha yazvino vhezheni (munyaya iyi, pasi peLinux 64-bit):

sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64

8. Ita kuti iite:

sudo chmod +x /usr/local/bin/gitlab-runner

9. Wedzera mushandisi weOS weMumhanyi uye tanga sevhisi:

sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start

Inofanira kutaridzika seizvi:

local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1

10. Iye zvino tinonyoresa Runner kuitira kuti igone kupindirana nemuenzaniso wedu weGitLab.
Kuti uite izvi, vhura iyo Settings-CI/CD peji (http://OUR_ IP_ADDRESS/root/cicd-test/-/settings/ci_cd) uye pane Runners tab tsvaga iyo URL uye Registration tokeni:

11. Nyoresa Runner nekuisa iyo URL uye Registration tokeni:

sudo gitlab-runner register 
--non-interactive 
--url "http://<URL>/" 
--registration-token "<Registration Token>" 
--executor "docker" 
--docker-privileged 
--docker-image alpine:latest 
--description "docker-runner" 
--tag-list "docker,privileged" 
--run-untagged="true" 
--locked="false" 
--access-level="not_protected"

Nekuda kweizvozvo, tinowana yakagadzirira-yakagadzirwa inoshanda GitLab, umo isu tinoda kuwedzera mirairo kuti titange zvishandiso zvedu. Mune iyi demo, isu hatina matanho ekuvaka uye ekuisa midziyo, asi munzvimbo chaiyo ivo vanotungamira matanho ekuongorora uye kugadzira mifananidzo uye Dockerfile yekuongorora.

pombi configuration

1. Wedzera mafaira kune repository mydockerfile.df (iyi bvunzo Dockerfile yatichayedza) uye iyo GitLab CI/CD process yekumisikidza faira. .gitlab-cicd.yml, iyo inonyora mirairo yema scanner (ona iyo dot muzita refaira).

Iyo .yaml configuration file ine mirairo yekushandisa zvishandiso zvitatu (Hadolint, Dockle, uye Trivy) iyo ichapatsanura yakasarudzwa Dockerfile uye mufananidzo wakataurwa muDOCKERFILE musiyano. Ese mafaera anodiwa anogona kutorwa kubva kune repository: https://github.com/Swordfish-Security/docker_cicd/

Bvisa kubva mydockerfile.df (iyi faira risinganzwisisike rine seti yezvipokana mirairo kungoratidza mashandiro anoshanda). Direct link kune faira: mydockerfile.df

Zviri mukati mydockerfile.df

FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root

Iyo yekumisikidza YAML inotaridzika seizvi (iyo faira pachayo inogona kutorwa kubva kune yakananga link pano: .gitlab-ci.yml):

Zviri mukati me .gitlab-ci.yml

variables:
    DOCKER_HOST: "tcp://docker:2375/"
    DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse   
    DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
    # DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
    SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
    TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
    ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
 
services:
    - docker:dind # to be able to build docker images inside the Runner
 
stages:
    - scan
    - report
    - publish
 
HadoLint:
    # Basic lint analysis of Dockerfile instructions
    stage: scan
    image: docker:git
 
    after_script:
    - cat $ARTIFACT_FOLDER/hadolint_results.json
 
    script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
     
    # NB: hadolint will always exit with 0 exit code
    - ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
 
    artifacts:
        when: always # return artifacts even after job failure       
        paths:
        - $ARTIFACT_FOLDER/hadolint_results.json
 
Dockle:
    # Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
    stage: scan   
    image: docker:git
 
    after_script:
    - cat $ARTIFACT_FOLDER/dockle_results.json
 
    script:
    - export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
    - ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE   
     
    artifacts:
        when: always # return artifacts even after job failure       
        paths:
        - $ARTIFACT_FOLDER/dockle_results.json
 
Trivy:
    # Analysing docker image and package dependencies against several CVE bases
    stage: scan   
    image: docker:git
 
    script:
    # getting the latest Trivy
    - apk add rpm
    - export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
    - wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
     
    # displaying all vulnerabilities w/o failing the build
    - ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE    
    
    # write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE    
 
    # failing the build if the SHOWSTOPPER priority is found
    - ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
         
    artifacts:
        when: always # return artifacts even after job failure
        paths:
        - $ARTIFACT_FOLDER/trivy_results.json
 
    cache:
        paths:
        - .cache
 
Report:
    # combining tools outputs into one HTML
    stage: report
    when: always
    image: python:3.5
     
    script:
    - mkdir json
    - cp $ARTIFACT_FOLDER/*.json ./json/
    - pip install json2html
    - wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
    - python ./convert_json_results.py
     
    artifacts:
        paths:
        - results.html

Kana zvichidikanwa, unokwanisawo kuongorora mifananidzo yakachengetwa se.tar archive (zvisinei, unozofanira kushandura mapemiyuta ekushandisa mufaira reYAML)

NB: Trivy inoda kuiswa rpm и Git. Zvikasadaro, ichagadzira zvikanganiso kana uchitarisa RedHat-yakavakirwa mifananidzo uye kuwana zvigadziriso kune dhatabhesi renjodzi.

2. Mushure mekuwedzera mafaira kune repository, maererano nemirayiridzo mufaira yedu yekugadzirisa, GitLab inongotanga iyo kuvaka uye kuongorora maitiro. PaCI / CD → Pipelines tab, unogona kuona mafambiro emirairo.

Somugumisiro, tine mabasa mana. Vatatu vavo vanobatanidzwa zvakananga mukuongorora, uye iyo yekupedzisira (Chirevo) inounganidza chirevo chakareruka kubva kune akapararira mafaera ane scanner mhinduro.

Nekumisikidza, Trivy inomisa kuurayiwa kwayo kana CRITICAL kusagadzikana kunowanikwa mumufananidzo kana zvinoenderana. Panguva imwecheteyo, Hadolint inogara ichidzorera Kubudirira mukodhi yekuuraya, sezvo kuurayiwa kwayo kunogara kune zvirevo, izvo zvinoita kuti kuvaka kumire.

Zvichienderana nezvaunoda chaizvo, unogona kumisa kodhi yekubuda kuitira kuti zvishandiso izvi zvimisewo maitiro ekuvaka kana matambudziko eimwe yakakosha aonekwa. Kwatiri, chivakwa chinomira chete kana Trivy yaona kusazvibata zvine hukasha hwatatsanangura mushowSTOPPER mutsauko mu. .gitlab-ci.yml.

Mhedzisiro yekushanda kwega yega yekushandisa inogona kutariswa murogi yebasa rega rega rekuongorora, zvakananga mujson mafaera muchikamu chezvigadzirwa, kana mune yakapfava HTML report (zvimwe pane iri pazasi):

3. Kupa mishumo yezvishandiso mune zvishoma zvishoma-zvinoverengwa nevanhu, diki Python script inoshandiswa kushandura matatu json mafaera kuita imwe HTML faira ine tafura yekuremara.
Ichi chinyorwa chinotangwa neakasiyana Report basa, uye artifact yayo yekupedzisira ifaira reHTML rine mushumo. Iyo script sosi iri zvakare mune repository uye inogona kuchinjika kune zvaunoda, mavara, nezvimwe.

Shell script

Yechipiri sarudzo inokodzera zviitiko apo iwe unofanirwa kutarisa Docker mifananidzo isiri mukati meCI / CD system, kana iwe unofanirwa kuve nemirairo yese mufomu inogona kuurayiwa yakananga kumuenzi. Iyi sarudzo yakafukidzwa neyakagadzirirwa-yakagadzirwa script script inogona kumhanyiswa pamuchina wakachena (kana kunyangwe chaiwo) muchina. Iyo script inotevera mirairo yakafanana neyegitlab-runner pamusoro.

Kuti iyo script ishande zvinobudirira, Docker inofanirwa kuiswa pane system uye mushandisi aripo anofanira kunge ari muboka re docker.

Iyo script pachayo inogona kuwanikwa pano: docker_sec_check.sh

Pakutanga kwefaira, zvinosiyana zvinotsanangura kuti ndeupi mufananidzo unofanirwa kuongororwa uye kuoma kwehurema huchaita kuti Trivy utility ibude nekodhi yekukanganisa yakataurwa.

Panguva yekunyora script, zvese zvinoshandiswa zvichatorwa kudhairekitori docker_tools, mhedzisiro yebasa ravo - mudhairekitori docker_tools/json, uye iyo HTML ine mushumo ichave iri mufaira results.html.

Muenzaniso script kubuda

~/docker_cicd$ ./docker_sec_check.sh

[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

+---------------------+------------------+----------+---------+-------------------------+
|       LIBRARY       | VULNERABILITY ID | SEVERITY | VERSION |             TITLE       |
+---------------------+------------------+----------+---------+-------------------------+
| object-path         | CVE-2020-15256   | HIGH     | 0.11.4  | Prototype pollution in  |
|                     |                  |          |         | object-path             |
+---------------------+------------------+          +---------+-------------------------+
| tree-kill           | CVE-2019-15599   |          | 1.2.2   | Code Injection          |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262   | LOW      | 1.4.1   | Unprotected dynamically |
|                     |                  |          |         | loaded chunks           |
+---------------------+------------------+----------+---------+-------------------------+

juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)

...

juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)

...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html

Docker mufananidzo une zvese zvinoshandiswa

Seimwe nzira yechitatu, ini ndakanyora maviri akareruka Dockerfiles kugadzira mufananidzo une kuchengetedza zvinoshandiswa. Imwe Dockerfile ichabatsira kuvaka seti yekutarisa mufananidzo kubva kune repository, yechipiri (Dockerfile_tar) ichavaka seti yekutarisa tar faira nemufananidzo.

1. Isu tinotora iyo yakakodzera Docker faira uye zvinyorwa kubva kune repository https://github.com/Swordfish-Security/docker_cicd/tree/master/Dockerfile.
2. Imhanyise pakuungana:

docker build -t dscan:image -f docker_security.df .

3. Mushure mokunge kuvaka kwapera, gadzira chigadziko kubva pamufananidzo. Panguva imwecheteyo, tinopfuudza iyo DOCKERIMAGE nharaunda inoshanduka ine zita remufananidzo watiri kufarira uye tinoisa iyo Dockerfile yatinoda kuongorora kubva muchina wedu kuenda kufaira. /dockerfile (ona kuti nzira yakakwana yefaira iyi inodiwa):

docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image


[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN    - DKL-DI-0006: Avoid latest tag
        * Avoid 'latest' tag
INFO    - CIS-DI-0005: Enable Content trust for Docker
        * export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO    - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
        * not found HEALTHCHECK statement
INFO    - DKL-LI-0003: Only put necessary files
        * unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
        * unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
        * unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html

Mhinduro

Isu takavhara imwe chete yekutanga seti yeDocker artifact scanning maturusi, ayo andinofunga anovhara huwandu hwakaringana hwekuchengetedzeka kwemifananidzo zvinobudirira. Pane zvimwe zvakawanda zvakabhadharwa uye zvemahara maturusi anogona kuita macheki mamwe chete, kudhirowa mishumo yakanaka kana kushanda chete mumodhi yekunyaradza, kuvhara magadzirirwo emagaba, nezvimwewo. Mhedziso yezvishandiso izvi uye nzira yekuzvibatanidza inogona kuoneka gare gare.

Rutivi rwakanaka rweseti yezvishandiso zvinotsanangurwa muchinyorwa ndechekuti zvese zvakavakwa pane yakavhurika sosi uye unogona kuyedza nazvo uye zvimwe zvakafanana maturusi kuti uwane izvo chaizvo zvinonyatsoenderana nezvako zvaunoda uye zvivakwa. Ehe, kusasimba kwese kunowanikwa kunofanirwa kudzidzwa kuti ishandiswe mumamiriro chaiwo, asi iyi inyaya yenyaya huru yeramangwana.

Ndinovimba mirairo iyi, zvinyorwa uye zvishandiso zvinokubatsira iwe uye uve pekutangira pakugadzira yakachengeteka zvakanyanya masisitimu mumunda wemidziyo.

Source: www.habr.com

Nzira uye mienzaniso yekuitwa kweDocker kuchengetedza cheki zviwanikwa