Hey Habr!
'Nete ea sejoale-joale, ka lebaka la karolo e ntseng e eketseha ea ts'ebetso ea lits'ebetso tsa nts'etsopele, taba ea ho netefatsa ts'ireletso ea mekhahlelo e fapaneng le mekhatlo e amanang le lijana ha e sebakeng sa ho qetela. Ho etsa licheke ka letsoho ke mosebetsi o jang nako, kahoo ho ka ba monate ho nka bonyane mehato ea pele ea ho iketsetsa ts'ebetso ena.
Sengoliloeng sena, ke tla arolelana lingoloa tse lokiselitsoeng ho kenya ts'ebetsong lits'ebeletso tse 'maloa tsa ts'ireletso ea Docker le litaelo tsa ho theha sethala se senyenyane sa demo ho leka ts'ebetso ena. U ka sebelisa lisebelisoa ho leka mokhoa oa ho hlophisa ts'ebetso ea ho leka ts'ireletso ea litšoantšo le litaelo tsa Dockerfile. Ho hlakile hore nts'etsopele le ts'ebetsong mekhoa ea ts'ebetso e fapane ho bohle, kahoo ka tlase ke tla fana ka likhetho tse 'maloa tse ka khonehang.
Tshireletso Check Utilities
Ho na le palo e kholo ea likopo tse fapaneng tsa bathusi le lingoloa tse etsang tlhahlobo ea likarolo tse fapaneng tsa meaho ea Docker. Tse ling tsa tsona li se li hlalositsoe sehloohong se fetileng (
Hadolint
Sesebelisoa se bonolo se thusang, joalo ka khakanyo ea pele, ho lekola ho nepahala le polokeho ea litaelo tsa Dockerfile (mohlala, ho sebelisa liregistries tse lumelletsoeng feela kapa ho sebelisa sudo).
Dockle
Sesebelisoa sa console se sebetsang le setšoantšo (kapa se bolokiloeng ka tar archive ea setšoantšo), se hlahlobang ho nepahala le ts'ireletseho ea setšoantšo se itseng, ho hlahloba likarolo tsa sona le tlhophiso - eo basebelisi ba e bōpileng, litaelo tse sebelisoang, tseo li-volumes li kenngoa, boteng ba password e se nang letho, joalo-joalo d. Ho fihlela joale palo ea licheke ha e kholo haholo 'me e itšetlehile ka licheke tsa rona tse ngata le likhothaletso.
Trivy
Sesebelisoa sena se reretsoe ho fumana bofokoli ba mefuta e 'meli - mathata a kopano ea OS (Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu li tšehetsoa) le mathata a ho itšetleha (Gemfile.lock, Pipfile.lock, composer.lock, package-lock .json , khoele.lock, Cargo.lock). Trivy e ka hlahloba ka bobeli setšoantšo se polokelong ea polokelo le setšoantšo sa sebaka seo, hammoho le ho hlahloba ho latela faele e fetisitsoeng ea .tar e nang le setšoantšo sa Docker.
Likhetho tsa ho kenya ts'ebetsong lisebelisoa
Bakeng sa ho leka lits'ebetso tse hlalositsoeng maemong a ikhethileng, ke tla fana ka litaelo tsa ho kenya lits'ebeletso tsohle e le karolo ea ts'ebetso e nolofalitsoeng.
Morero oa mantlha ke ho bonts'a hore na o ka kenya ts'ebetsong netefatso ea litaba tsa othomathike ea litšoantšo tsa Dockerfiles le Docker tse entsoeng nakong ea nts'etsopele.
Netefatso ka boeona e na le mehato e latelang:
- Ho lekola ho nepahala le polokeho ea litaelo tsa Dockerfile ka sesebelisoa sa linter Hadolint
- Ho lekola ho nepahala le polokeho ea litšoantšo tsa ho qetela le tse mahareng o sebelisa sesebelisoa Dockle
- Ho hlahloba Bofokoli bo Tsebahalang bo Tsebahalang (CVE) setšoantšong sa motheo le tse ling tse ngata tse itšetlehileng ka tsona - ka ts'ebeliso. Trivy
Hamorao sehloohong sena ke tla fana ka likhetho tse tharo tsa ho kenya ts'ebetsong mehato ena:
Ea pele ke ka ho hlophisa phala ea CI / CD u sebelisa mohlala oa GitLab (ka tlhaloso ea mokhoa oa ho phahamisa mohlala oa teko).
Ea bobeli ke ho sebelisa script ea khetla.
Ea boraro ke ho aha setšoantšo sa Docker ho skena litšoantšo tsa Docker.
U ka khetha khetho e u tšoanelang hantle, e fetisetse lits'ebetsong tsa hau mme u e fetole ho latela litlhoko tsa hau.
Lifaele tsohle tse hlokahalang le litaelo tse eketsehileng li boetse li fumaneha sebakeng sa polokelo:
Khokahano ea GitLab CI/CD
Khethong ea pele, re tla sheba hore na licheke tsa ts'ireletso li ka sebelisoa joang ho sebelisa sistimi ea polokelo ea GitLab joalo ka mohlala. Mona re tla feta mehatong 'me re bone mokhoa oa ho theha tikoloho ea liteko ka GitLab ho tloha qalong, ho theha ts'ebetso ea ho skena le ho tsamaisa lisebelisoa ho leka tlhahlobo ea Dockerfile le setšoantšo se sa reroang - sesebelisoa sa JuiceShop.
Ho kenya GitLab
1. Kenya Docker:
sudo apt-get update && sudo apt-get install docker.io
2. Eketsa mosebelisi oa hajoale ho sehlopha sa li-docker hore o tle o tsebe ho sebetsa le docker ntle le ho sebelisa sudo:
sudo addgroup <username> docker
3. Fumana IP ea hau:
ip addr
4. Kenya le ho tsamaisa GitLab ka har'a sets'oants'o, 'me u nkele aterese ea IP e lebitsong la moamoheli ka ea hau:
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latest
Re emetse GitLab ho phethela lits'ebetso tsohle tse hlokahalang tsa ho kenya (o ka latela ts'ebetso ka tlhahiso ea faele ea log: docker logs -f gitlab).
5. Bula IP ea hau ea lehae ho sebatli 'me u bone leqephe le fanang ka ho fetola phasewete bakeng sa motso oa mosebelisi:
Beha phasewete e ncha ebe u ea ho GitLab.
6. Etsa morero o mocha, mohlala oa cicd-test le ho e qala ka faele ea ho qala README.md:
7. Hona joale re hloka ho kenya GitLab Runner: moemeli ea tla tsamaisa mesebetsi eohle e hlokahalang ka kopo.
Khoasolla mofuta oa morao-rao (tabeng ena, tlasa Linux 64-bit):
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64
8. Etsa hore e phethahale:
sudo chmod +x /usr/local/bin/gitlab-runner
9. Kenya mosebelisi oa OS bakeng sa Semathi 'me u qale tšebeletso:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner start
E lokela ho shebahala tjena:
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Joale re ngolisa Runner e le hore e ka sebelisana le mohlala oa rona oa GitLab.
Ho etsa sena, bula leqephe la Litlhophiso-CI/CD (http://OUR_ IP_ADDRESS/root/cicd-test/-/settings/ci_cd) 'me tabeng ea Runners fumana URL le tokene ea Ngoliso:
11. Ngolisa Semathi ka ho kenya URL le tokene ea Ngoliso:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"
Ka lebaka leo, re fumana GitLab e seng e ntse e sebetsa, eo ho eona re hlokang ho kenyelletsa litaelo ho qala lits'ebeletso tsa rona. Ho demo ena ha re na mehato ea ho aha ts'ebeliso le ho e kenya, empa tikolohong ea 'nete tsena li ka etella pele mehato ea ho lekola le ho hlahisa litšoantšo le Dockerfile bakeng sa tlhahlobo.
tlhophiso ea liphaephe
1. Kenya lifaele sebakeng sa polokelo mydockerfile.df (ena ke tlhahlobo ea Dockerfile eo re tla e leka) le faele ea tlhophiso ea GitLab CI/CD .gitlab-cicd.yml, e thathamisang litaelo tsa liskena (hlokomela letheba lebitsong la faele).
Faele ea .yaml ea tlhophiso e na le litaelo tsa ho tsamaisa lits'ebeletso tse tharo (Hadolint, Dockle, le Trivy) tse tla fetisa Dockerfile e khethiloeng le setšoantšo se boletsoeng ho mofuta oa DOCKERFILE. Lifaele tsohle tse hlokahalang li ka nkuoa sebakeng sa polokelo:
Ntša ho mydockerfile.df (Ena ke faele e sa utloahaleng e nang le sete ea litaelo tse ikhethileng ho bonts'a hore na sesebelisoa se sebetsa joang). Sehokelo se tobileng faeleng:
Litaba tsa mydockerfile.df
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER root
tlhophiso ea YAML e shebahala tjena (faele ka boeona e ka nkuoa sehokelong se tobileng mona:
Litaba tsa .gitlab-ci.yml
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.html
Haeba ho hlokahala, o ka boela oa skena litšoantšo tse bolokiloeng joalo ka .tar archive (leha ho le joalo, u tla hloka ho fetola liparamente tsa ho kenya lisebelisoa tsa lisebelisoa faeleng ea YAML)
NB: Trivy e hloka ho kenngoa rpm и git. Ho seng joalo, e tla hlahisa liphoso ha e hlahloba litšoantšo tse thehiloeng ho RedHat le ho fumana lisebelisoa ho database ea ts'oaetso.
2. Ka mor'a hore u kenye lifaele sebakeng sa polokelo, ho ea ka litaelo tse faeleng ea rona ea tlhophiso, GitLab e tla qala ka mokhoa o ikemetseng oa ho haha le ho hlahloba. Ho CI / CD → Pipelines tab, u ka bona tsoelo-pele ea litaelo.
Ka lebaka leo, re na le mesebetsi e mene. Tse tharo tsa tsona li ameha ka ho toba ho hlahloba, 'me ea ho qetela (Tlaleho) e bokella tlaleho e bonolo ho tloha lifaeleng tse hasaneng tse nang le liphello tsa scan.
Ka kamehla, Trivy e emisa ts'ebetso ea eona haeba bofokoli ba CRITICAL bo fumaneha setšoantšong kapa ho its'etleha. Ka nako e ts'oanang, Hadolint e lula e khutlisa Katleho ka khoutu ea ts'ebetso, kaha ts'ebetso ea eona e lula e e-na le litlhaloso, e leng se etsang hore mohaho o emise.
Ho ipapisitse le litlhoko tsa hau tse ikhethileng, o ka hlophisa khoutu ea ho tsoa e le hore lits'ebeletso tsena le tsona li emise mokhoa oa ho aha ha mathata a bohlokoa a itseng a fumanoa. Ha e le rona, moaho o tla ema ha feela Trivy a ka lemoha tlokotsi ka matla ao re a boletseng ho mofuta oa SHOWSTOPPER ho. .gitlab-ci.yml.
Sephetho sa ts'ebeliso e 'ngoe le e' ngoe se ka bonoa lethathamong la mosebetsi o mong le o mong oa ho skena, ka kotloloho lifaeleng tsa json karolong ea lintho tsa khale, kapa tlalehong e bonolo ea HTML (ho feta ka tlase):
3. Ho hlahisa litlaleho tsa lisebelisoa ka mokhoa o ka baloang ke motho hanyenyane, ho sebelisoa mongolo o monyenyane oa Python ho fetolela lifaele tse tharo tsa JSON ho faele e le 'ngoe ea HTML e nang le tafole ea likoli.
Script ena e qalisoa ke mosebetsi o arohaneng oa Tlaleho, 'me ntho ea eona ea ho qetela ke faele ea HTML e nang le tlaleho. Mohloli oa script o boetse o sebakeng sa polokelo 'me o ka ikamahanya le litlhoko tsa hau, mebala, joalo-joalo.
Shell script
Khetho ea bobeli e loketse linyeoe ha o hloka ho hlahloba litšoantšo tsa Docker ka ntle ho tsamaiso ea CI / CD kapa o hloka ho ba le litaelo tsohle ka mokhoa o ka etsoang ka ho toba ho moeti. Khetho ena e koahetsoe ke mongolo oa khetla o seng o entsoe o ka tsamaisoang mochining o hloekileng (kapa oa 'nete). Script e fana ka litaelo tse tšoanang le tsa gitlab-runner e hlalositsoeng ka holimo.
Hore sengoloa se sebetse ka katleho, Docker e tlameha ho kengoa sistimi mme mosebelisi oa hajoale o tlameha ho ba sehlopheng sa li-docker.
Script ka boeona e ka fumanoa mona:
Qalong ea faele, mefuta e fapaneng e bolela hore na ke setšoantšo sefe se lokelang ho hlahlojoa le hore na ke bofokoli bofe ba bohlokoa bo tla etsa hore sesebelisoa sa Trivy se tsoe ka khoutu ea phoso e boletsoeng.
Nakong ea ts'ebetso ea script, lisebelisoa tsohle li tla kopitsoa ho directory docker_tools, liphetho tsa mosebetsi oa bona - bukeng docker_tools/json, mme HTML e nang le tlaleho e tla ba faeleng results.html.
Mohlala oa tlhahiso ea script
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html
Setšoantšo sa Docker se nang le lisebelisoa tsohle
Joalo ka mokhoa oa boraro, ke hlophisitse li-Dockerfiles tse peli tse bonolo ho theha setšoantšo se nang le lits'ebeletso tsa ts'ireletso. Dockerfile e le 'ngoe e tla thusa ho haha sete ea ho hlahloba setšoantšo ho tloha sebakeng sa polokelo, ea bobeli (Dockerfile_tar) e tla haha sete ho hlahloba faele ea tar ka setšoantšo.
1. Nka faele ea Docker e tsamaellanang le mangolo ho tsoa sebakeng sa polokelo
2. E tsamaise bakeng sa kopano:
docker build -t dscan:image -f docker_security.df .
3. Ka mor'a hore mohaho o phethoe, etsa setshelo ho tloha setšoantšong. Ka nako e ts'oanang, re fetisa phetoho ea tikoloho ea DOCKERIMAGE e nang le lebitso la setšoantšo seo re se thahasellang ebe re phahamisa Dockerfile eo re batlang ho e hlahloba ho tloha mochine oa rona ho ea faeleng. /dockerfile (hlokomela hore ho hlokahala tsela e felletseng ea faele ena):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.html
Liphetho
Re shebile lisebelisoa tse le 'ngoe feela tsa mantlha tsa ho lekola lintho tsa khale tsa Docker, tseo, ka maikutlo a ka, li koahelang karolo e ntle ea litlhoko tsa ts'ireletso ea setšoantšo. Ho boetse ho na le palo e kholo ea lisebelisoa tse lefelloang le tse sa lefelloeng tse ka etsang licheke tse tšoanang, ho etsa litlaleho tse ntle kapa ho sebetsa ka mokhoa o ts'oanang, ho koahela lits'ebetso tsa taolo ea sekoaelo, joalo-joalo. Kakaretso ea lisebelisoa tsena le mokhoa oa ho li kopanya li ka hlaha hamorao. .
Ntho e ntle ka sete ea lisebelisoa tse hlalositsoeng sehloohong sena ke hore kaofela li hahiloe holim'a khoutu ea mohloli o bulehileng 'me u ka leka ka tsona le lisebelisoa tse ling tse tšoanang ho fumana hore na ke eng e lumellanang le litlhoko tsa hau le lisebelisoa tsa motheo. Ha e le hantle, bofokoli bohle bo fumanoang bo lokela ho ithutoa bakeng sa ho sebetsa maemong a itseng, empa sena ke sehlooho sa sehlooho se seholo sa nakong e tlang.
Ke ts'epa hore tataiso ena, lingoloa le lits'ebeletso li tla u thusa mme e be sebaka sa ho qala sa ho theha meaho e sireletsehileng haholoanyane sebakeng sa containerization.
Source: www.habr.com