目录
1. 系统要求
2. 配置仓库
3. 安装 Docker Engine
4. 启动 Docker
5. 验证
6. 小科普
6.1. libseccomp 是什么?
6.2. seccomp是什么?
6.3. BPF 又是什么?1. 系统要求
- CentOS 7 或 8
2. 配置仓库
- 安装 yum-utils
sudo yum install -y yum-utils
- 配置仓库
sudo yum-config-manager
--add-repo
https://download.docker.com/linux/centos/docker-ce.repo
3. 安装 Docker Engine
代码语言:javascript复制yum install docker-ce docker-ce-cli containerd.io --allowerasing
yum install docker-ce docker-ce-cli containerd.io --allowerasing
4. 启动 Docker
代码语言:javascript复制sudo systemctl start docker
5. 验证
代码语言:javascript复制docker run hello-world
yum install libseccomp-devel
docker run hello-world
6. 小拓展(表示翻译不了...)
6.1. libseccomp 是什么?
The libseccomp library provides an easy to use, platform independent, interface to the Linux Kernel's syscall filtering mechanism. The libseccomp API is designed to abstract away the underlying BPF based syscall filter language and present a more conventional function-call based filtering interface that should be familiar to, and easily adopted by, application developers.
6.2. seccomp是什么?
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. As system calls change and mature, bugs are found and eradicated. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications.
Seccomp filtering(SECure COMPuting with filters) provides a means for a process to specify a filter for incoming system calls. The filter is expressed as a Berkeley Packet Filter (BPF) program, as with socket filters, except that the data operated on is related to the system call being made: system call number and the system call arguments. This allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland and a straightforward data set.
6.3. BPF 又是什么?
The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic (and eBPF is an extended BPF JIT virtual machine in the Linux kernel). It provides a raw interface to data link layers, permitting raw link-layer packets to be sent and received.
BPF supports filtering packets, allowing a userspace process to supply a filter program that specifies which packets it wants to receive. For example, a tcpdump process may want to receive only packets that initiate a TCP connection. BPF returns only packets that pass the filter that the process supplies. This avoids copying unwanted packets from the operating system kernel to the process, greatly improving performance.
参考:
Install Docker Engine: https://docs.docker.com/engine/install/ libseccomp: https://github.com/seccomp/libseccomp
