配置Docker文件和目录的规则

配置Docker文件和目录的规则

写个脚本

vim /tmp/repair.sh

#!/bin/bash

function docker_audit()
{
  cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.bak.$(date +%Y%m%d)

  cat >> /etc/audit/rules.d/audit.rules <<EOF
-w /usr/bin/dockerd -k docker
-w /var/lib/docker -k docker
-w /etc/docker -k docker
-w /usr/lib/systemd/system/docker.service -k docker
-w /usr/lib/systemd/system/docker.socket -k docker
-w /etc/docker/daemon.json -k docker
-w /usr/bin/containerd -k docker
-w /usr/sbin/runc -k docker
EOF

  systemctl daemon-reload
  systemctl start auditd.service

  systemctl status auditd.service
  grep docker /etc/audit/rules.d/audit.rules
}

function docker_execstart()
{
  filename=/etc/systemd/system/docker.service
  configfile=/etc/docker/daemon.json
  key=ExecStart
  string=" --default-ulimit nproc=1024:2408 --default-ulimit nofile=10240:20480"

  cp $filename /tmp/docker.service.bak.$(date +%Y%m%d)
  cp $configfile /tmp/docker.daemon.json.$(date +%Y%m%d)

  sed -i "/^$key/s/$/$string/" $filename
  sed -i 's/warn/info/g' $configfile

  systemctl daemon-reload
  systemctl restart docker.service

  systemctl status docker.service
  ps -ef|grep dockerd | grep -v grep
}

docker_audit
docker_execstart

# 将Windows格式文本转换为Unix&Linux格式文件
yum install -y dos2unix
dos2unix repair.sh
sh repair.sh

检查一下

grep docker /etc/audit/rules.d/audit.rules

ps -ef|grep dockerd | grep -v grep

grep info /etc/docker/daemon.json

kubectl get po -A |grep -i -v running