在NodeJS应用中使用Docker容器。

huangapple go评论62阅读模式
英文:

Working with Docker Containers in NodeJS App

问题

有没有关于在NodeJS应用中使用Docker容器的推荐或最佳实践?

我看到了一些不同的方法来访问或在Node中使用容器,包括:

  • child_process
  • dockerode(npm包)
  • 或其他方法

我对使用Docker还很新手,希望我的Node应用能够访问和启动Docker容器,并寻求关于在NodeJS中使用Docker容器的最佳实践建议。

英文:

Are there any recommended or best practices for working with Docker containers in a NodeJS app?

I have seen a few different methods of accessing or working with containers in Node by either using:

  • child_process
  • dockerode (npm package)
  • or others

I am new to working with Docker and am wanting to have my Node app to have the ability to access and start docker containers and was looking for any suggestions on best practices for working with docker containers in NodeJS?

答案1

得分: 1

最佳实践是重构您的应用程序,以避免需要管理员级别访问Docker守护程序。启动长时间运行的容器,可以执行您需要的工作,并通过Docker网络或使用RabbitMQ等消息队列系统与它们通信。

尝试直接使用Docker存在一些实际问题。如果启动新容器,您需要监视和停止它;如果您的进程在容器运行时失败,您将需要找出如何清理上一次运行的内容。添加强硬的Docker依赖性使得难以运行单元测试或手动测试。当然,最大的问题是Docker内部几乎没有安全控制:您可以操作不属于您项目的容器,并在新容器中绑定挂载主机文件系统的任意部分,这意味着Docker成为轻松危害整个主机的途径。

如果必须对Docker守护程序进行特权调用,使用Docker SDK(如dockerode)比将docker作为子进程运行更好。这更容易供下游用户运行,更难出现与Shell语法相关的错误(我确实看到有几个问题允许进行Shell注入攻击,尝试运行docker命令,这将成为外部攻击者入侵主机的途径)。

英文:

The absolute best practice is to restructure your application to avoid needing administrator-level access to the Docker daemon. Start long-running containers that can do the work you need once, and either communicate with them via Docker networks or using a message-queue system like RabbitMQ.

There are a number of practical problems with trying to directly use Docker. If you start a new container, you need to monitor and stop it; if your process fails with a container running, at startup you'll need to figure out how to clean up from the previous run. Adding a hard Docker dependency makes it difficult to run either unit or manual tests. And of course the biggest problem is that there are few security controls within Docker: you can manipulate containers that don't belong to your project, and bind-mount arbitrary parts of the host filesystem in new containers, which means Docker becomes a path to easily compromise the entire host.

If you must make a privileged call to the Docker daemon, using a Docker SDK like dockerode is better than running docker as a subprocess. It's easier for downstream users to run and harder to make mistakes with shell syntax (I do see several questions that allow shell-injection attacks trying to run docker commands, which becomes a path for an external attacker to root the host).

huangapple
  • 本文由 发表于 2023年5月25日 14:05:38
  • 转载请务必保留本文链接:https://go.coder-hub.com/76329354.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定