Hey Xabr!
Bugungi haqiqatda konteynerlashtirishning rivojlanish jarayonlaridagi roli ortib borayotganligi sababli, konteynerlar bilan bog'liq bo'lgan turli bosqichlar va ob'ektlar xavfsizligini ta'minlash masalasi oxirgi o'rinda emas. Tekshirishlarni qo'lda bajarish mashaqqatli ishdir, shuning uchun bu jarayonni avtomatlashtirish uchun hech bo'lmaganda dastlabki qadamlarni qo'yish yaxshi bo'lar edi.
Ushbu maqolada men bir nechta Docker xavfsizlik yordam dasturlarini amalga oshirish uchun tayyor skriptlar va ushbu jarayonni sinab ko'rish uchun kichik demo stendini o'rnatish bo'yicha ko'rsatmalar bilan o'rtoqlashaman. Dockerfile tasvirlari va ko'rsatmalarining xavfsizligini tekshirish jarayonini qanday tashkil qilish bo'yicha tajriba o'tkazish uchun materiallardan foydalanishingiz mumkin. Rivojlanish va amalga oshirish infratuzilmasi hamma uchun har xil ekanligi aniq, shuning uchun quyida men bir nechta mumkin bo'lgan variantlarni beraman.
Xavfsizlik tekshiruvi yordam dasturlari
Docker infratuzilmasining turli jihatlarini tekshirishni amalga oshiradigan ko'p sonli turli yordamchi ilovalar va skriptlar mavjud. Ulardan ba'zilari allaqachon oldingi maqolada tasvirlangan () va ushbu maqolada men ulardan uchtasiga e'tibor qaratmoqchiman, ular ishlab chiqish jarayonida yaratilgan Docker tasvirlari uchun xavfsizlik talablarining asosiy qismini qamrab oladi. Bundan tashqari, men ushbu uchta yordam dasturini xavfsizlik tekshiruvlarini amalga oshirish uchun qanday qilib bitta quvur liniyasiga birlashtirish mumkinligini ko'rsataman.
Hadolint
Dockerfile ko'rsatmalarining to'g'riligi va xavfsizligini birinchi navbatda baholashga yordam beradigan juda oddiy konsol yordam dasturi (masalan, faqat ruxsat etilgan tasvir registrlaridan foydalanish yoki sudo-dan foydalanish).
Dockle
Tasvirda (yoki saqlangan tasvir tarballida) ishlaydigan konsol yordam dasturi, uning qatlamlari va konfiguratsiyasini tahlil qilish orqali ma'lum bir tasvirning to'g'riligi va xavfsizligini tekshiradi - qanday foydalanuvchilar yaratilgani, qanday ko'rsatmalar ishlatilganligi, qanday hajmlar o'rnatilganligi. , bo'sh parol mavjudligi va h.k. e. Tekshiruvlar soni unchalik katta bo'lmasa va bir nechta o'z tekshiruvlari va tavsiyalariga asoslanadi. docker uchun.
Trivy
Ushbu yordamchi dastur ikki turdagi zaifliklarni topishga qaratilgan - OT qurish muammolari (Alpine, RedHat (EL), CentOS, Debian GNU, Ubuntu qo'llab-quvvatlanadi) va qaramlik muammolari (Gemfile.lock, Pipfile.lock, composer.lock, package-lock) .json , yarn.lock, Cargo.lock). Trivy ombordagi tasvirni ham, mahalliy tasvirni ham skanerlashi mumkin, shuningdek Docker tasviri bilan uzatilgan .tar fayli asosida skanerlashi mumkin.
Utilitlarni amalga oshirish imkoniyatlari
Ta'riflangan ilovalarni alohida sharoitlarda sinab ko'rish uchun men soddalashtirilgan jarayonning bir qismi sifatida barcha yordamchi dasturlarni o'rnatish bo'yicha ko'rsatmalar beraman.
Asosiy g'oya ishlab chiqish jarayonida yaratilgan Dockerfiles va Docker tasvirlari uchun kontentni avtomatik tekshirishni qanday amalga oshirishingiz mumkinligini ko'rsatishdir.
Tekshirishning o'zi quyidagi bosqichlardan iborat:
- Dockerfile ko'rsatmalarining to'g'riligi va xavfsizligini linter yordam dasturi bilan tekshirish Hadolint
- Yakuniy va oraliq tasvirlarning to'g'riligi va xavfsizligini tekshirish - yordamchi dastur Dockle
- Asosiy rasmdagi umumiy zaifliklarni (CVE) va bir qator bog'liqliklarni tekshirish - yordamchi dastur tomonidan Trivy
Keyinchalik maqolada men ushbu bosqichlarni amalga oshirishning uchta variantini beraman:
Birinchisi, GitLab misolidan foydalanib, CI / CD quvur liniyasini sozlash (sinov namunasini ko'tarish jarayoni tavsifi bilan).
Ikkinchisi qobiq skriptidan foydalanadi.
Uchinchisi, Docker tasvirlarini skanerlash uchun Docker tasvirini yaratish.
Siz o'zingizga eng mos variantni tanlashingiz, uni infratuzilmangizga o'tkazishingiz va ehtiyojlaringizga moslashtirishingiz mumkin.
Barcha kerakli fayllar va qo'shimcha ko'rsatmalar ham omborda mavjud:
GitLab CI/CD integratsiyasi
Birinchi variantda biz misol sifatida GitLab repozitoriy tizimi yordamida xavfsizlik tekshiruvlarini qanday amalga oshirish mumkinligini ko'rib chiqamiz. Bu erda biz bosqichlarni ko'rib chiqamiz va GitLab yordamida sinov muhitini noldan qanday o'rnatishni, skanerlash jarayonini yaratishni va test Dockerfile va tasodifiy tasvirni - JuiceShop ilovasini sinab ko'rish uchun yordamchi dasturlarni ishga tushirishni ko'rib chiqamiz.
GitLab o'rnatilmoqda
1. Docker-ni o'rnating:
sudo apt-get update && sudo apt-get install docker.io2. Sudo-dan foydalanmasdan docker bilan ishlashingiz uchun joriy foydalanuvchini docker guruhiga qo'shing:
sudo addgroup <username> docker3. IP manzilingizni toping:
ip addr4. GitLab-ni konteynerga o'rnating va ishga tushiring, hostnamedagi IP-manzilni o'zingiznikiga almashtiring:
docker run --detach
--hostname 192.168.1.112
--publish 443:443 --publish 80:80
--name gitlab
--restart always
--volume /srv/gitlab/config:/etc/gitlab
--volume /srv/gitlab/logs:/var/log/gitlab
--volume /srv/gitlab/data:/var/opt/gitlab
gitlab/gitlab-ce:latestBiz GitLab barcha kerakli o'rnatish protseduralarini bajarishini kutmoqdamiz (siz jarayonni jurnal faylining chiqishi orqali kuzatishingiz mumkin: docker logs -f gitlab).
5. Brauzerda mahalliy IP-ni oching va ildiz foydalanuvchisi uchun parolni o'zgartirishni taklif qiluvchi sahifani ko'ring:
Yangi parol o'rnating va GitLab-ga o'ting.
6. Yangi loyiha yarating, masalan, cicd-test va uni start fayli bilan ishga tushiring README.md:
7. Endi biz GitLab Runner dasturini o'rnatishimiz kerak: so'rov bo'yicha barcha kerakli operatsiyalarni bajaradigan agent.
Eng so'nggi versiyani yuklab oling (bu holda, Linux 64-bit ostida):
sudo curl -L --output /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd648. Uni bajariladigan qilib qo'ying:
sudo chmod +x /usr/local/bin/gitlab-runner9. Runner uchun OS foydalanuvchisini qo'shing va xizmatni ishga tushiring:
sudo useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
sudo gitlab-runner startBu shunday ko'rinishi kerak:
local@osboxes:~$ sudo gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
Runtime platform arch=amd64 os=linux pid=8438 revision=0e5417a3 version=12.0.1
local@osboxes:~$ sudo gitlab-runner start
Runtime platform arch=amd64 os=linux pid=8518 revision=0e5417a3 version=12.0.1
10. Endi biz Runner-ni bizning GitLab misolimiz bilan o'zaro aloqada bo'lishi uchun ro'yxatdan o'tkazamiz.
Buning uchun Settings-CI/CD sahifasini oching (http://OUR_ IP_ADDRESS/root/cicd-test/-/settings/ci_cd) va Yuguruvchilar ko'rinishida URL va Ro'yxatdan o'tish tokenini toping:
11. URL manzili va Ro‘yxatdan o‘tish tokenini o‘rniga yuguruvchini ro‘yxatdan o‘tkazing:
sudo gitlab-runner register
--non-interactive
--url "http://<URL>/"
--registration-token "<Registration Token>"
--executor "docker"
--docker-privileged
--docker-image alpine:latest
--description "docker-runner"
--tag-list "docker,privileged"
--run-untagged="true"
--locked="false"
--access-level="not_protected"Natijada, biz tayyor ishlaydigan GitLabni olamiz, unda biz yordamchi dasturlarimizni ishga tushirish uchun ko'rsatmalarni qo'shishimiz kerak. Ushbu demoda bizda ilovalarni yaratish va konteynerlashtirish bosqichlari yoʻq, lekin haqiqiy muhitda ular skanerlash bosqichlaridan oldin boʻladi va tahlil uchun tasvirlar va Dockerfile yaratadi.
quvur liniyasi konfiguratsiyasi
1. Fayllarni omborga qo'shing mydockerfile.df (bu biz sinab ko'radigan sinov Dockerfile) va GitLab CI/CD jarayoni konfiguratsiya fayli .gitlab-cicd.yml, skanerlar uchun ko'rsatmalar ro'yxati (fayl nomidagi nuqtaga e'tibor bering).
.yaml konfiguratsiya faylida tanlangan Dockerfile va DOCKERFILE o'zgaruvchisida ko'rsatilgan tasvirni tahlil qiladigan uchta yordam dasturini (Hadolint, Dockle va Trivy) ishga tushirish bo'yicha ko'rsatmalar mavjud. Barcha kerakli fayllarni ombordan olish mumkin:
dan ko'chirma mydockerfile.df (bu yordamchi dastur qanday ishlashini ko'rsatish uchun o'zboshimchalik bilan ko'rsatmalar to'plamiga ega mavhum fayl). Faylga to'g'ridan-to'g'ri havola:
mydockerfile.df tarkibi
FROM amd64/node:10.16.0-alpine@sha256:f59303fb3248e5d992586c76cc83e1d3700f641cbcd7c0067bc7ad5bb2e5b489 AS tsbuild
COPY package.json .
COPY yarn.lock .
RUN yarn install
COPY lib lib
COPY tsconfig.json tsconfig.json
COPY tsconfig.app.json tsconfig.app.json
RUN yarn build
FROM amd64/ubuntu:18.04@sha256:eb70667a801686f914408558660da753cde27192cd036148e58258819b927395
LABEL maintainer="Rhys Arkins <[email protected]>"
LABEL name="renovate"
...
COPY php.ini /usr/local/etc/php/php.ini
RUN cp -a /tmp/piik/* /var/www/html/
RUN rm -rf /tmp/piwik
RUN chown -R www-data /var/www/html
ADD piwik-cli-setup /piwik-cli-setup
ADD reset.php /var/www/html/
## ENTRYPOINT ##
ADD entrypoint.sh /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]
USER rootYAML konfiguratsiyasi shunday ko'rinadi (faylning o'zi bu erda to'g'ridan-to'g'ri havoladan olinishi mumkin: ):
.gitlab-ci.yml tarkibi
variables:
DOCKER_HOST: "tcp://docker:2375/"
DOCKERFILE: "mydockerfile.df" # name of the Dockerfile to analyse
DOCKERIMAGE: "bkimminich/juice-shop" # name of the Docker image to analyse
# DOCKERIMAGE: "knqyf263/cve-2018-11235" # test Docker image with several CRITICAL CVE
SHOWSTOPPER_PRIORITY: "CRITICAL" # what level of criticality will fail Trivy job
TRIVYCACHE: "$CI_PROJECT_DIR/.cache" # where to cache Trivy database of vulnerabilities for faster reuse
ARTIFACT_FOLDER: "$CI_PROJECT_DIR"
services:
- docker:dind # to be able to build docker images inside the Runner
stages:
- scan
- report
- publish
HadoLint:
# Basic lint analysis of Dockerfile instructions
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/hadolint_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/hadolint/hadolint/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/hadolint/hadolint/releases/download/v${VERSION}/hadolint-Linux-x86_64 && chmod +x hadolint-Linux-x86_64
# NB: hadolint will always exit with 0 exit code
- ./hadolint-Linux-x86_64 -f json $DOCKERFILE > $ARTIFACT_FOLDER/hadolint_results.json || exit 0
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/hadolint_results.json
Dockle:
# Analysing best practices about docker image (users permissions, instructions followed when image was built, etc.)
stage: scan
image: docker:git
after_script:
- cat $ARTIFACT_FOLDER/dockle_results.json
script:
- export VERSION=$(wget -q -O - https://api.github.com/repos/goodwithtech/dockle/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/goodwithtech/dockle/releases/download/v${VERSION}/dockle_${VERSION}_Linux-64bit.tar.gz && tar zxf dockle_${VERSION}_Linux-64bit.tar.gz
- ./dockle --exit-code 1 -f json --output $ARTIFACT_FOLDER/dockle_results.json $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/dockle_results.json
Trivy:
# Analysing docker image and package dependencies against several CVE bases
stage: scan
image: docker:git
script:
# getting the latest Trivy
- apk add rpm
- export VERSION=$(wget -q -O - https://api.github.com/repos/knqyf263/trivy/releases/latest | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/1/')
- wget https://github.com/knqyf263/trivy/releases/download/v${VERSION}/trivy_${VERSION}_Linux-64bit.tar.gz && tar zxf trivy_${VERSION}_Linux-64bit.tar.gz
# displaying all vulnerabilities w/o failing the build
- ./trivy -d --cache-dir $TRIVYCACHE -f json -o $ARTIFACT_FOLDER/trivy_results.json --exit-code 0 $DOCKERIMAGE
# write vulnerabilities info to stdout in human readable format (reading pure json is not fun, eh?). You can remove this if you don't need this.
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 0 $DOCKERIMAGE
# failing the build if the SHOWSTOPPER priority is found
- ./trivy -d --cache-dir $TRIVYCACHE --exit-code 1 --severity $SHOWSTOPPER_PRIORITY --quiet $DOCKERIMAGE
artifacts:
when: always # return artifacts even after job failure
paths:
- $ARTIFACT_FOLDER/trivy_results.json
cache:
paths:
- .cache
Report:
# combining tools outputs into one HTML
stage: report
when: always
image: python:3.5
script:
- mkdir json
- cp $ARTIFACT_FOLDER/*.json ./json/
- pip install json2html
- wget https://raw.githubusercontent.com/shad0wrunner/docker_cicd/master/convert_json_results.py
- python ./convert_json_results.py
artifacts:
paths:
- results.htmlAgar kerak bo'lsa, saqlangan rasmlarni .tar arxivi sifatida skanerlashingiz mumkin (ammo YAML faylidagi yordamchi dasturlar uchun kiritish parametrlarini o'zgartirishingiz kerak bo'ladi)
Eslatma: Trivy o'rnatilishini talab qiladi rpm и borish. Aks holda, u RedHat-ga asoslangan tasvirlarni skanerlashda va zaiflik ma'lumotlar bazasiga yangilanishlarni olishda xatoliklarni keltirib chiqaradi.
2. Fayllarni omborga qo'shgandan so'ng, konfiguratsiya faylimizdagi ko'rsatmalarga muvofiq, GitLab avtomatik ravishda qurish va skanerlash jarayonini boshlaydi. CI / CD → Quvurlar yorlig'ida siz ko'rsatmalarning bajarilishini ko'rishingiz mumkin.
Natijada bizda to'rtta vazifa bor. Ulardan uchtasi to'g'ridan-to'g'ri skanerlashda ishtirok etadi va oxirgisi (Hisobot) skanerlash natijalari bilan tarqoq fayllardan oddiy hisobotni to'playdi.
Odatiy bo'lib, agar rasmda yoki bog'liqlikda CRITICAL zaifliklar topilsa, Trivy o'z ishini to'xtatadi. Shu bilan birga, Hadolint har doim ijro kodida Muvaffaqiyatni qaytaradi, chunki uning bajarilishida doimo eslatmalar mavjud bo'lib, bu qurilishni to'xtatadi.
Muayyan talablaringizga qarab, siz chiqish kodini sozlashingiz mumkin, shunda ma'lum bir muhimlikdagi muammolar aniqlanganda ushbu yordam dasturlari qurilish jarayonini to'xtatadi. Bizning holatda, Trivy biz SHOWSTOPPER o'zgaruvchisida ko'rsatgan jiddiylikdagi zaiflikni aniqlasagina, qurish to'xtaydi. .gitlab-ci.yml.
Har bir yordamchi dasturning ishlashi natijasini har bir skanerlash topshirig'i jurnalida, to'g'ridan-to'g'ri artefaktlar bo'limidagi json fayllarida yoki oddiy HTML hisobotida (quyida batafsilroq) ko'rish mumkin:
3. Utilit hisobotlarini bir oz ko'proq odam o'qiy oladigan shaklda taqdim etish uchun uchta json faylini nuqsonlar jadvali bilan bitta HTML faylga aylantirish uchun kichik Python skriptidan foydalaniladi.
Ushbu skript alohida Hisobot vazifasi bilan ishga tushiriladi va uning yakuniy artefakti hisobotga ega HTML fayldir. Skript manbasi ham omborda va sizning ehtiyojlaringiz, ranglaringiz va boshqalarga moslashtirilishi mumkin.
Shell skripti
Ikkinchi variant CI / CD tizimida bo'lmagan Docker tasvirlarini tekshirishingiz kerak bo'lgan yoki to'g'ridan-to'g'ri xostda bajarilishi mumkin bo'lgan shakldagi barcha ko'rsatmalarga ega bo'lishingiz kerak bo'lgan holatlar uchun javob beradi. Ushbu parametr toza virtual (yoki hatto haqiqiy) mashinada ishlashi mumkin bo'lgan tayyor qobiq skripti bilan qoplangan. Skript yuqoridagi gitlab-runner bilan bir xil ko'rsatmalarga amal qiladi.
Skript muvaffaqiyatli ishlashi uchun tizimda Docker o'rnatilgan bo'lishi va joriy foydalanuvchi docker guruhida bo'lishi kerak.
Skriptning o'zini bu erda topish mumkin:
Faylning boshida o'zgaruvchilar qaysi tasvirni skanerlash kerakligini va qanday jiddiy nuqsonlar Trivy yordam dasturini ko'rsatilgan xato kodi bilan chiqishiga olib kelishini belgilaydi.
Skriptni bajarish jarayonida barcha yordamchi dasturlar katalogga yuklab olinadi docker_tools, ularning ish natijalari - katalogda docker_tools/json, va hisobot bilan HTML faylda bo'ladi natijalar.html.
Misol skript chiqishi
~/docker_cicd$ ./docker_sec_check.sh
[+] Setting environment variables
[+] Installing required packages
[+] Preparing necessary directories
[+] Fetching sample Dockerfile
2020-10-20 10:40:00 (45.3 MB/s) - ‘Dockerfile’ saved [8071/8071]
[+] Pulling image to scan
latest: Pulling from bkimminich/juice-shop
[+] Running Hadolint
...
Dockerfile:205 DL3015 Avoid additional packages by specifying `--no-install-recommends`
Dockerfile:248 DL3002 Last USER should not be root
...
[+] Running Dockle
...
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
...
[+] Running Trivy
juice-shop/frontend/package-lock.json
=====================================
Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 2, CRITICAL: 0)
+---------------------+------------------+----------+---------+-------------------------+
| LIBRARY | VULNERABILITY ID | SEVERITY | VERSION | TITLE |
+---------------------+------------------+----------+---------+-------------------------+
| object-path | CVE-2020-15256 | HIGH | 0.11.4 | Prototype pollution in |
| | | | | object-path |
+---------------------+------------------+ +---------+-------------------------+
| tree-kill | CVE-2019-15599 | | 1.2.2 | Code Injection |
+---------------------+------------------+----------+---------+-------------------------+
| webpack-subresource | CVE-2020-15262 | LOW | 1.4.1 | Unprotected dynamically |
| | | | | loaded chunks |
+---------------------+------------------+----------+---------+-------------------------+
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
juice-shop/package-lock.json
============================
Total: 5 (CRITICAL: 5)
...
[+] Removing left-overs
[+] Making the output look pretty
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlDocker tasviri barcha yordamchi dasturlar bilan
Uchinchi muqobil sifatida men xavfsizlik yordam dasturlari bilan tasvir yaratish uchun ikkita oddiy Dockerfill tuzdim. Bitta Dockerfile ombordan tasvirni skanerlash uchun to'plamni yaratishga yordam beradi, ikkinchisi (Dockerfile_tar) tar faylini tasvir bilan skanerlash uchun to'plamni yaratadi.
1. Biz ombordan tegishli Docker fayli va skriptlarni olamiz .
2. Yig'ish uchun uni ishga tushiring:
docker build -t dscan:image -f docker_security.df .
3. Qurilish tugallangach, tasvirdan konteyner yarating. Shu bilan birga, biz DOCKERIMAGE muhit o'zgaruvchisini o'zimizni qiziqtirgan tasvir nomi bilan uzatamiz va kompyuterimizdan tahlil qilmoqchi bo'lgan Docker faylini faylga o'rnatamiz. /dockerfile (esda tutingki, ushbu faylga mutlaq yo'l kerak):
docker run --rm -v $(pwd)/results:/results -v $(pwd)/docker_security.df:/Dockerfile -e DOCKERIMAGE="bkimminich/juice-shop" dscan:image
[+] Setting environment variables
[+] Running Hadolint
/Dockerfile:3 DL3006 Always tag the version of an image explicitly
[+] Running Dockle
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - DKL-LI-0003: Only put necessary files
* unnecessary file : juice-shop/node_modules/sqlite3/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm64/Dockerfile
* unnecessary file : juice-shop/node_modules/sqlite3/tools/docker/architecture/linux-arm/Dockerfile
[+] Running Trivy
...
juice-shop/package-lock.json
============================
Total: 20 (UNKNOWN: 0, LOW: 1, MEDIUM: 6, HIGH: 8, CRITICAL: 5)
...
[+] Making the output look pretty
[+] Starting the main module ============================================================
[+] Converting JSON results
[+] Writing results HTML
[+] Clean exit ============================================================
[+] Everything is done. Find the resulting HTML report in results.htmlNatijalar
Biz Docker artefaktlarini skanerlash uchun yordamchi dasturlarning faqat bitta asosiy to'plamini ko'rib chiqdik, menimcha, ular tasvir xavfsizligi talablarining yaxshi qismini juda samarali qamrab oladi. Xuddi shu tekshiruvlarni amalga oshiradigan, chiroyli hisobotlarni tuzadigan yoki faqat konsol rejimida ishlay oladigan, konteynerlarni boshqarish tizimlarini qamrab oladigan boshqa ko'plab boshqa pullik va bepul vositalar mavjud. Ushbu vositalarning umumiy ko'rinishi va ularni qanday integratsiya qilish biroz keyinroq paydo bo'lishi mumkin.
Maqolada tasvirlangan vositalar to'plamining ijobiy tomoni shundaki, ularning barchasi ochiq manba asosida qurilgan va siz ular va boshqa shunga o'xshash vositalar bilan sizning talablaringizga va infratuzilma xususiyatlariga to'liq mos keladigan narsani topish uchun tajriba qilishingiz mumkin. Albatta, topilgan barcha zaifliklar muayyan sharoitlarda qo'llanilishi uchun o'rganilishi kerak, ammo bu kelajakdagi katta maqola uchun mavzu.
Umid qilamanki, ushbu ko'rsatmalar, skriptlar va yordamchi dasturlar sizga yordam beradi va konteynerlashtirish sohasida xavfsizroq infratuzilmani yaratish uchun boshlang'ich nuqtaga aylanadi.
Manba: www.habr.com