Pet*_*ter 30 docker docker-container
我不能杀死或停止任何码头集装箱.我允许非特权用户运行Docker命令.并且docker run hello-world工作正常.但我不能阻止任何其他容器.
我得到了以下:
$ docker stop 59e3b815d1dc
Error response from daemon: cannot stop container: 59e3b815d1dc:
Cannot kill container 59e3b815d1dcf2d8c8bcd3dd641c3c033b83ac68ea2f0257a32a76468af7374c:
unknown error after kill: docker-runc did not terminate sucessfully:
container_linux.go:393: signaling init process caused "permission denied"
: unknown
与sudo相同的错误.同时,所有容器都成功运行,但要停止它们只能完全重启系统.
Docker撰写示例:#使用postgres/example用户/密码凭证版本:'3.1'
services:
db:
image: postgres
restart: always
environment:
POSTGRES_PASSWORD: example
adminer:
image: adminer
restart: always
ports:
- 8080:8080
Docker信息:
$ docker info
Containers: 7
Running: 2
Paused: 0
Stopped: 5
Images: 10
Server Version: 17.12.1-ce
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-116-generic
Operating System: Ubuntu 16.04.4 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 11.61GiB
Name: peter-pen
ID: P6FS:C76H:WIAO:LCWC:TCHT:JEYB:6W3M:HXYD:S4E2:KTUZ:2T3Q:3GPI
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
WARNING: No swap limit support
小智 62
对我来说,从AppArmor作品中删除未知的作品:
sudo aa-remove-unknown
小智 16
AppArmor(Application Armor)是一个Linux安全模块,可以保护操作系统及其应用程序免受安全威胁.要使用它,系统管理员会将AppArmor安全配置文件与每个程序相关联.Docker希望找到一个加载并强制执行的AppArmor策略.检查默认配置文件:
# sudo apparmor_status
要在容器上使用docker默认配置文件,请运行:
$ docker run --rm -it --name test-container --security-opt apparmor=docker-default image-name
您可以使用以下命令禁用它:
--security-opt apparmor=unconfined
使用docker run命令.
要禁用apparmor服务,请使用:
# systemctl stop apparmor && systemctl disable apparmor
对于Ubuntu 14.使用:
# service apparmor stop
# update-rc.d -f apparmor remove
建议为Docker apparmor设置工作配置文件而不是禁用它,尤其是对于生产设置.
查看关于使用AppArmor保护容器的这个非常棒的Google文档.
https://cloud.google.com/container-optimized-os/docs/how-to/secure-apparmor
Sid*_*ava 13
此命令将停止所有docker容器.
sudo killall docker-containerd-shim
此命令将删除所有docker容器.
sudo docker-compose down
只需在终端中运行此命令,所有正在运行的 docker 容器都将停止
sudo systemctl restart docker.service