Shulou(Shulou.com)06/02 Report--

Docker is a management tool that isolates and uses system resources with the process as the core. Isolation is achieved through cgroups (control groups process Control Group), an operating system kernel feature. It includes user's parameter limit, account management, isolation of resources (CPU, memory, disk Icano, network) and so on. Docker can specify users and groups for processes in the container at run time. If not specified, the default is root. However, because of isolation, security will not be lost. Traditionally, specific applications are run as specific users, and the process in the container to specify the users or groups to run the program does not need to be created in advance in host.

The process control group cgroups may do the following things:

Resource limit groups can be set to not exceed the configured memory limit, including file system cache priority some groups may get a larger share of CPU utilization or disk iThroughput account accounting metrics group resource usage, for example, for billing purposes to control frozen group processes, set checkpoints of processes, and restart

The concept associated with cgroups is namespaces (command space).

There are six main types of name isolation for namespaces:

The PID namespace provides isolation for the allocation of process identifiers (PIDs), process lists, and their details.

Although the new namespace is isolated from other sibling objects, processes in its "parent" namespace still see all processes in the child namespace (albeit with different PID numbers).

Network namespaces isolate network interface controllers (physical or virtual), iptables firewall rules, routing tables, and so on. Network namespaces can connect to each other using "veth" virtual Ethernet devices. The UTS namespace allows you to change the host name. The mount namespace allows you to create different file system layouts or make some mount points read-only. The IPC namespace isolates System V's interprocess communication through the namespace. The user namespace isolates the user id through the namespace.

Root in docker run container for ordinary users

For example, busybox, you can run software as root in a docker container. However, the docker container itself is still executed as a normal user.

Consider such a situation

Echo test | docker run-i busybox cat

The front is the current user's current system process, and the latter is transferred to the container user and the container process to run.

When PID runs at 1 in the container, Linux ignores the default behavior of the signaling system, and the process does not exit when it receives a SIGINT or SIGTERM signal, unless your process is encoded for this. The stop signal can be specified through Dockerfile STOPSIGNAL signal.

Such as:

STOPSIGNAL SIGKILL

Create a Dockerfile

FROM alpine:latestRUN apk add-update htop & & rm-rf / var/cache/apk/*CMD ["htop"] $docker build-t myhtop. # build image $docker run-it-- rm-- pid=host myhtop # runs in the same namespace as the host process

Specify different user demo_user in the docker run container for ordinary users

Docker run-user=demo_user:group1-group-add group2

Here demo_user and group1 (primary group) and group2 (secondary group) are not users and groups of the host, but are created when the container image is created.

When the USER user is not specified in the Dockerfile, the container runs the process as the root user.

How docker specifies the user

Specify a user to run a specific command in Dockerfile

USER [:] # or USER [:]

Docker run-u (--user) [user:group] or-- group-add parameter mode

$docker run busybox cat / etc/passwdroot:x:0:0:root:/root:/bin/sh...www-data:x:33:33:www-data:/var/www:/bin/falsenobody:x:65534:65534:nobody:/home:/bin/false$ docker run-user www-data busybox iduid=33 (www-data) gid=33 (www-data)

Permissions of users in the docker container

Compared with the following situations, files created by ordinary users in host are mapped into root user owners under the docker container:

$mkdir test & & touch test/a.txt & & cd test$ docker run-- rm-it-v `pwd`: / mnt-w / mnt busybox / bin/sh-c'ls-al / mnt/*'-rw-r--r-- 1 root root 0 Oct 22 15:36 / mnt/a.txt

The files created in the volume directory in the container correspond to the users who currently execute docker in host:

$docker run-- rm-it-v `pwd`: / mnt-w / mnt busybox / bin/sh-c 'touch b.txthands $ls-al-rw-r--r-- 1 xwx staff 0 10 22 23:36 a.txtmuryr Muir-1 xwx staff 0 10 22 23:54 b.txt

Access to docker volume files

Create and use volumes. Docker does not support relative path mount points. Multiple containers can use the same volume at the same time.

$docker volume create hello # create volume hello$ docker run-it-- rm-v hello:/world-w / world busybox / bin/sh-c 'touch / world/a.txt & & ls-al' # container build a file total 8drwxr-xr-x 2 root root 4096 Oct 22 16:38 .drw xr-xr-x 1 root root 4096 Oct 22 16:38.-rw-r--r-- 1 root root 0 Oct 22 16:38 a. Txt$ docker run-it-- rm-v hello:/world-w / world busybox / bin/sh-c'rm / world/a.txt & & ls-al' # remove total 8drwxr-xr-x 2 root root 4096 Oct 22 16:38. Drwxr-xr-x 1 root root 4096 Oct 22 16:38.

Create files externally, and specify users in the container to delete them.

$touch c.txt & & sudo chmod root:wheel c.txt$ docker run-u 100-it-- rm-v `pwd`: / world-w / world busybox / bin/sh-c'rm / world/c.txt & & ls-al'

It can actually be deleted.

Rm: remove'/ world/c.txt'? Ytotal 4drwxr-xr-x 4 100 root 128 Oct 23 16:09. Drwxr-xr-x 1 root root 4096 Oct 23 16:09.-rw-r--r-- 1 100 root 0 Oct 22 15:36 a.txtmuri RwMui Oct 22 15:54 b.txt

Port permissions below 1024 for ordinary docker users

$docker run-u 100-it-- rm-p 70:80 busybox / bin/sh-c'nc-l-p 80'nc: bind: Permission denied # user id 100, Can't open port 80$ docker run-u 100-it-- rm-p 70 busybox 8800 busybox / bin/sh-c'nc-l-p 8800' # Container Port is greater than 1024. $docker run-it-- rm-p 70:80 busybox / bin/sh-c'nc-l-p 80' # it's OK to have root in the container.

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.