建议修改Docker的启动参数,增加“--userland-proxy=false”参数,在启动时禁用用户空间代理,减小设备的攻击面。示例如下所示。
…… [Service] Type=notify # the default is not to use systemd for cgroups because the delegate issues still # exists and systemd currently does not support the cgroup feature set required # for containers run by docker ExecStart=/usr/bin/dockerd --userland-proxy=false --icc=false -H fd:// --containerd=/run/containerd/containerd.sock ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always ……