强化任务运行器(Hardening task runners)#
任务运行器负责执行来自代码节点的代码。虽然代码节点的执行是安全的,但您可以遵循以下建议进一步增强任务运行器的安全性。
以外部模式作为 sidecar 运行任务运行器(Run task runners as sidecars in external mode)#
为了增加核心 n8n 进程与 Code 节点中代码之间的隔离,可以以外部模式运行任务执行器。外部任务执行器会作为独立的容器启动,提供一个完全隔离的环境来执行 Code 节点中定义的 JavaScript。
🌐 To increase the isolation between the core n8n process and code in the Code node, run task runners in external mode. External task runners launch as separate containers, providing a fully isolated environment to execute the JavaScript defined in the Code node.
使用无发行版镜像(Use the distroless image)#
为了减少攻击面,请使用无发行版(distroless)的 Docker 镜像版本。无发行版镜像只包含应用及其运行时依赖,不包括包管理器、Shell 以及运行时不需要的其他工具。
🌐 For a reduced attack surface, use the distroless Docker image variant. Distroless images contain only the application and its runtime dependencies, excluding package managers, shells, and other utilities that aren't needed at runtime.
要使用无发行版镜像,请在 Docker 标签后添加 -distroless 后缀。例如:2.4.6-distroless。
🌐 To use the distroless image, append the -distroless suffix to the Docker tag. For example: 2.4.6-distroless.
以 nobody 用户身份运行(Run as the nobody user)#
为了提高安全性,请将任务运行器配置为以无特权的 nobody 用户身份运行,用户和组 ID 为 65532。这可以防止容器进程以 root 权限运行,并限制安全漏洞可能造成的损害。
🌐 For improved security, configure task runners to run as the unprivileged nobody user with user and group ID 65532. This prevents the container process from running with root privileges and limits potential damage from security vulnerabilities.
配置只读根文件系统(Configure read-only root filesystem)#
配置一个只读根文件系统,以防止在运行时对容器的文件系统进行任何修改。这有助于防止可能尝试修改系统文件的恶意代码。
🌐 Configure a read-only root filesystem to prevent any modifications to the container's filesystem at runtime. This helps protect against malicious code that might attempt to modify system files.
任务运行器仍然需要一些临时存储来执行操作。为此,将一个最小的 emptyDir 卷挂载到 /tmp。如果你的工作流程需要更多的临时空间,请相应地增加卷的大小。
🌐 Task runners still require some temporary storage for operation. To accommodate this, mount a minimal emptyDir volume to /tmp. If your workflows require more temporary space, increase the size of the volume accordingly.