Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to solve the problem of raising rights of non-root users in docker containers". In daily operation, I believe that many people have doubts about how to solve the problem of raising rights of non-root users of docker containers. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to solve the problem of raising rights of non-root users of docker containers". Next, please follow the editor to study!

First, start the docker container with a non-root user

To improve security, we consider a scenario that starts the docker container with a non-root user. To do this, we do an experiment. First, we create a normal user zimug and execute the command useradd zimug;. And add this user to the docker user group, because only users of the docker user group can start the docker container.

# zimug joins the docker user group usermod-G docker zimug; # launch container docker run-d-name nginx-zimug-p 80:80 nginx under zimug user

The above operation proves that it is feasible to start the docker container with a non-root user, but we still need to verify whether the security has been improved.

2. Verify the security of the container launched by non-root users

Go back to the host server where the docker service is located and use the root account to write a string like "zimug test" to the test file test.txt

Mkdir-p / root/test;echo "zimug test" > / root/test/test.txt

Then use the su command to switch to the user zimug, use the cat command to view the file prompt that you do not have enough permissions to view the file, and everything is fine.

[root] # su-zimug; [zimug] $cat / root/test/test.txt;cat: / root/test/test.txt: insufficient permissions

Then we launch a container nginx-zimug1 under the zimug user, and it is very important to remember that this container is started under the non-root user zimug.

[zimug] $docker run-d-name nginx-zimug1\-p 81:80\-v / root/test/test.txt:/root/test/test.txt nginx

Then we go to the / root/test/test.txt file inside the container and write a string "zimug test update file in container" to the echo in the file, indicating that we modify the file inside the container.

# modify the file after entering the container [zimug] $docker exec-it nginx-zimug1 / bin/bash# after entering the container, and then exit exits echo "zimug test update file in container" > / root/test/test.txt

Go back to the host and use your root account to confirm the contents of the / root/test/test.txt file. What we don't want to see is that the average user zimug starts a container, maps the root user file at will, and modifies the file inside the container, and the contents of the root user's file are changed accordingly.

# cat / root/test/test.txtzimug test update file in container

There are two reasons for this problem: first, the docker container is essentially a process on the host server, and without special treatment, the root user in the container and the root user on the host are actually the same user; second, there is a daemon in docker, even the service process started with systemctl start docker. Because the docker is installed by the root user, and the daemon is also started by the root user, there is a big security problem even if the container is run by a non-root user, which is an important risk point of docker security issues.

There are two common ways to solve this problem: mapping the id segment between the container user and the host user, and using non-root users to build the docker and start the daemon.

At this point, the study on "how to solve the problem of raising rights of non-root users in docker containers" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.