Shulou(Shulou.com)06/01 Report--

This article mainly introduces the "brief introduction of Docker container runtime permissions and Linux system functions". In the daily operation, I believe that many people have doubts on the brief introduction of Docker container runtime permissions and Linux system functions. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts of "Docker container runtime permissions and Linux system function brief introduction". Next, please follow the editor to study!

Docker container runtime permissions and Linux system functions

Related Docker parameters

Cap-add: Add Linux capabilities--cap-drop: Drop Linux capabilities--privileged=false: Give extended privileges to this container--device= []: Allows you to run devices inside the container without the-- privileged flag.

Due to the security isolation between containers and between containers and hosts, Docker containers do not have system permissions under the default Docker configuration. For example, you cannot run another Dokcer service in a Docker container. This is because by default, processes in the container are not allowed to access devices on any host. Only containers that are authorized by devices can access all devices (see the documentation on cgroups devices).

When the container administrator executes docker run-privileged, the Docker container is allowed to access all devices on the host, and some configurations are set in AppArmor or SELinux so that processes in the container can access the host with almost the same permissions as processes running outside the container. (for more information about running the-- privileged parameter, visit the Docker blog. )

If you want to restrict access to specific devices, you can use the-- device parameter. It allows you to specify one or more devices to be accessed from within the container.

$docker run-device=/dev/snd:/dev/snd...

When the-- device parameter is enabled, processes in the container will get read, write and mknod permissions for these devices by default. You can also override the default setting by attaching a third: rwm option for each-- device parameter:

$docker run-- device=/dev/sda:/dev/xvdc-- rm-it ubuntu fdisk / dev/xvdcCommand (m for help): Q $docker run-- device=/dev/sda:/dev/xvdc:r-- rm-it ubuntu fdisk / dev/xvdcYou will not be able to write the partition table.Command (m for help): Q $docker run-- device=/dev/sda:/dev/xvdc:w-- rm-it ubuntu fdisk / dev/xvdc crash....$ docker run-- device= / dev/sda:/dev/xvdc:m-- rm-it ubuntu fdisk / dev/xvdcfdisk: unable to open / dev/xvdc: Operation not permitted

In addition to-- privileged, operators can also use-- cap-add and-- cap-drop to have fine-grained control over functions. By default, Docker has a reserved default list of features.

The following table lists the Linux feature options, which are allowed by default and can be deleted.

The function item function describes the permissions of the SETPCAP modification process MKNOD uses mknod (2) to create a special file AUDIT_WRITE writes records to the kernel audit log CHOWN arbitrary changes files UIDs and GIDs (see chown (2)) NET_RAW uses RAW and PACKET socket DAC_OVERRIDE to bypass the read, write and execute permissions of the file check FOWNER bypasses the file system UID of the process and the UID of the file FSETID when the file is modified Do not clear the set-user-ID and set-group-ID permission bits KILL bypass the permission to send signals check the SETGID custom process GID and supplement the GID list SETUID custom process UIDNET_BIND_SERVICE binds the socket to the Internet domain name dedicated port (port number less than 1024). SYS_CHROOT uses chroot (2) to change the root directory SETFCAP settings file function

The following table shows features that are not granted by default and can be added manually.

Function item function describes SYS_MODULE loading and unloading kernel module SYS_RAWIO performs I / O port operations (iopl (2) and ioperm (2)) SYS_PACCT uses acct (2), turns on or off process counting SYS_ADMIN performs a series of system management operations SYS_NICE increases the nice value of a process (nice (2), setpriority (2)) and changes the niceSYS _ RESOURCE of any process to override resource limits SYS_TIME to set the system clock (settimeofday (2)) Stime (2), adjtimex (2)) Set the real-time (hardware) clock SYS_TTY_CONFIG using vhangup (2); use various privileged ioctl (2) on the virtual terminal to operate AUDIT_CONTROL to enable and disable kernel auditing Change audit filter rules; retrieve audit status and filter rules MAC_ADMIN allows MAC configuration or status changes. The function implemented for Smack LSM MAC_OVERRIDE overrides mandatory access control (MAC). The NET_ADMIN executes various network-related operations for the Smack Linux security module (LSM). The SYSLOG executes the authority operation of the syslog (2). DAC_READ_SEARCH bypasses file read permission check and directory read and execute permission check LINUX_IMMUTABLE setting FS_APPEND_FL and FS_IMMUTABLE_FL i-node flag NET_BROADCAST enables sockets to broadcast and monitors broadcast packets IPC_LOCK locks memory (mlock (2), mlockall (2), mmap (2)) Shmctl (2)) IPC_OWNER bypasses permissions to operate on System V IPC objects check SYS_PTRACE uses ptrace (2) to track any process SYS_BOOT uses reboot (2) and kexec_load (2), reboots and loads the new kernel for programs to execute LEASE to establish a Lease lease on any file (see fcntl (2)) WAKE_ALARM triggers Wake up system operations BLOCK_SUSPEND turns on functions that prevent the system from hanging

More reference information can be found in the capabilities (7)-Linux man page Linux man page.

-- cap-add-- cap-drop both parameters support the value ALL, so if the Docker administrator wants all Linux features except MKNOD, you can use:

$docker run-cap-add=ALL-cap-drop=MKNOD.

If you want to interact with the system's network stack, you should use-- cap-add=NET_ADMIN to modify the network interface instead of-- privileged.

Docker run-it-- rm ubuntu:14.04 ip link add dummy0 type dummyRTNETLINK answers: Operation not permitted$ docker run-it-- rm-- cap-add=NET_ADMIN ubuntu:14.04 ip link add dummy0 type dummy

To install a FUSE-based file system, you need to combine-- cap-add and-- device:

$docker run-rm-it-cap-add SYS_ADMIN sshfs sshfs sven@10.10.10.20:/home/sven / mntfuse: failed to open / dev/fuse: Operation not permitted$ docker run-- rm-it-- device / dev/fuse sshfs sshfs sven@10.10.10.20:/home/sven / mntfusermount: mount failed: Operation not permitted$ docker run-- rm-it-- cap-add SYS_ADMIN-- device / dev/fuse sshfs# sshfs sven@10.10.10.20: / home/sven / mntThe authenticity of host '10.10.10.20 (10.10.10.20)' can't be established.ECDSA key fingerprint is 25:34:85:75:25:b0:17:46:05:19:04:93:b5:dd:5f:c6.Are you sure you want to continue connecting (yes/no)? Yessven@10.10.10.20's password:root@30aa0cfaf1b5:/# ls-la / mnt/src/dockertotal 1516drwxrwxr-x 1 1000 1000 4096 Dec 4 06:08. Drwxrwxr-x 1 1000 1000 4096 Dec 4 11:46.-rw-rw-r-- 1 1000 1000 16 Oct 8 00:09. Dockerage-rwxrwxr-x 1 1000 1000 464 Oct 8 00:09. Drone.ymldrwxrwxr-x 1 1000 1000 4096 Dec 4 06:11 .git-rw-rw-r-- 1 1000 1000 461 Dec 4 06:08 .gitignore....

The default seccomp profile will be adjusted according to the selected feature to allow the use of features allowed by the feature, so this should not be adjusted from later versions of Docker1.12. This is not the case in Docker 1.10 and 1.11, and you may need to use a custom seccomp configuration file or use-- security-opt seccomp=unconfined when adding functionality.

At this point, the study on "a brief introduction to the runtime permissions of the Docker container and the functions of the Linux system" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.