1、系统环境:
root@system-virtual-machine:/home/system# uname -a Linux system-virtual-machine 5.0.0-13-generic #14-Ubuntu SMP Mon Apr 15 14:59:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux root@system-virtual-machine:/home/system# docker --version Docker version 18.09.5, build e8ff056
默认DOCKER容器的ROOT用户被映射为主机的ROOT用户
root@system-virtual-machine:/home/system# docker run -itd --name test01 -v /tmp:/tmp nginx /bin/bash
9a7611e49dc739d6afd4dd9baae0c9fc14db00b8564322265b60e6e4496172a9
root@system-virtual-machine:/home/system# docker exec -it test01 /bin/bash
root@9a7611e49dc7:/# cd /tmp/
root@9a7611e49dc7:/tmp# echo "11" >> 1.txt root@9a7611e49dc7:/tmp# exit exit root@system-virtual-machine:/home/system# ll /tmp/ 总用量 84 drwxrwxrwt 19 root root 4096 5月 21 20:00 ./ drwxr-xr-x 20 root root 4096 5月 21 17:07 ../-rw-r--r-- 1 root root 3 5月 21 20:00 1.txt
此时容器的ROOT用户即为操作系统ROOT用户,系统权限无限大
2、配置用户隔离,将容器的ROOT用户映射为操作系统的UID和GID大于100000的从属ID
修改/usr/lib/systemd/system/docker.service,添加对/etc/default/docker文件DOCKER_OPTS的引用
system@system-virtual-machine:~$ grep -v '^#' /usr/lib/systemd/system/docker.service [Unit] Description=Docker Application Container Engine Documentation=https://docs.docker.com BindsTo=containerd.service After=network-online.target firewalld.service containerd.service Wants=network-online.target Requires=docker.socket
[Service] Type=notify EnvironmentFile=-/etc/default/docker ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $DOCKER_OPTS ExecReload=/bin/kill -s HUP $MAINPID TimeoutSec=0 RestartSec=2 Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity LimitNPROC=infinity LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install] WantedBy=multi-user.target
编辑/etc/default/docker,添加:
DOCKER_OPTS="--userns-remap=default"
或
DOCKER_OPTS="--userns-remap=自定义的用户名"
此时会在/etc/subuid和/etc/subgid添加用户的映射ID
system@system-virtual-machine:~$ cat /etc/subuid /etc/subgid system:100000:65536 dockremap:165536:65536 apps:231072:65536 system:100000:65536 dockremap:165536:65536 apps:231072:65536
如dockremap这一行表示,从操作系统UID为165536用户开始直到UID为165536+65536映射容器的UID0至65535,0为容器的ROOT用户,/etc/default/docker文件这一行DOCKER_OPTS="--userns-remap=default"指定了引用 /etc/subuid,/etc/subgid文件的哪个用户,用户组,default一般指dockremap
3、为容器的ROOT用户指定权限
root@system-virtual-machine:/home/system# mkdir -p /dockertest/dir1
root@system-virtual-machine:/home/system# cat /etc/default/docker
DOCKER_OPTS="--userns-remap=apps"
root@system-virtual-machine:/home/system# cat /etc/subuid system:100000:65536 dockremap:165536:65536 apps:231072:65536
root@system-virtual-machine:/home/system# docker run -itd --name test06 -v /dockertest/dir1:/tmp nginx 42697b7f491f32582cba785ab35e646816189ce5d4a295e52bb7231b5e8d1d75 root@system-virtual-machine:/home/system# docker exec -it test06 /bin/bash root@42697b7f491f:/# cd /tmp/ root@42697b7f491f:/tmp# ls root@42697b7f491f:/tmp# echo "test" > 1.txt bash: 1.txt: Permission denied root@42697b7f491f:/tmp# whoami root
此时权限拒绝
为用户显式赋权限
root@system-virtual-machine:/home/system# chown -R 231072 /dockertest/dir1/ root@system-virtual-machine:/home/system# ll /dockertest/dir1/ 总用量 8 drwxr-xr-x 2 231072 root 4096 5月 22 08:32 ./ drwxr-xr-x 3 root root 4096 5月 22 08:32 ../ root@system-virtual-machine:/home/system# docker exec -it test06 /bin/bash root@42697b7f491f:/# cd /tmp/ root@42697b7f491f:/tmp# echo "test" > 1.txt root@42697b7f491f:/tmp# exit
此时正常写入,文件的创建用户即为主机映射到容器ROOT的用户
system@system-virtual-machine:~$ ll /dockertest/dir1/1.txt -rw-r--r-- 1 231072 231072 5 5月 22 08:37 /dockertest/dir1/1.txt
