那些遇到过的问题

即使作为 docker 容器内的 root,权限也被拒绝

sca*_*one 10 permissions docker docker-compose ubuntu-18.04 debian-buster

尝试以 root 身份连接到正在运行的 docker 容器时,仍然会出现“操作不允许”错误apt-get update,但我仍然可以看到敏感文件,例如/etc/passwd. 以下是我的配置以及来自的错误消息apt-get update。我的主机操作系统是Ubuntu 18.04.3. 我的docker版本是Docker version 19.03.5, build 633a0ea838

我使用以下 Dockerfile 创建一个容器

FROM python:3.8-slim-buster
RUN useradd -ms /bin/bash andrej
WORKDIR /home/andrej
COPY . /home/andrej/

RUN apt-get update && \
    apt-get install -y gcc && \
    pip install -r requirements.txt && \
    apt-get remove -y gcc && apt-get -y autoremove

RUN chown andrej:andrej pycurl && \
    chmod 0744 pycurl

USER andrej
ENTRYPOINT ["uwsgi"]
CMD ["--ini", "uwsgi.ini"]
Run Code Online (Sandbox Code Playgroud)

使用 docker compose 启动它,如下所示:

version: "3.3"

services:

  andrej-cv:
    build: ./andrej_cv
    container_name: andrej-cv
    restart: always
    security_opt:
      - no-new-privileges
    expose:
      - 5000
    healthcheck:
      test: ./pycurl --host=127.0.0.1 --port=5050 --uri=/health_check
      interval: 1m30s
      timeout: 10s
      retries: 3
Run Code Online (Sandbox Code Playgroud)

我的 docker 守护进程配置:

{
    "icc": false,
    "userns-remap": "default",
    "log-driver": "syslog",
    "live-restore": true,
    "userland-proxy": false,
    "no-new-privileges": true
}
Run Code Online (Sandbox Code Playgroud)

我使用以下命令(以 root 身份)连接到容器: docker exec -it -u root <container_hash> /bin/bash但是当我尝试更新时,我得到以下信息:

root@ed984abff684:/home/andrej# apt-get update 
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
Hit:1 http://deb.debian.org/debian buster InRelease
Ign:2 http://deb.debian.org/debian buster-updates InRelease
Err:4 http://deb.debian.org/debian buster-updates Release
  Could not open file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster-updates_Release - open (13: Permission denied) [IP: 151.101.36.204 80]
Hit:3 http://security-cdn.debian.org/debian-security buster/updates InRelease
rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
Reading package lists... Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster-updates_InRelease - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster-updates_Release - PrepareFiles (13: Permission denied)
E: The repository 'http://deb.debian.org/debian buster-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Problem unlinking the file /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_buster_updates_InRelease - PrepareFiles (13: Permission denied)
Run Code Online (Sandbox Code Playgroud)

容器 /etc/subuid中看起来/etc/subgid像这样(两者):

andrej:100000:65536
Run Code Online (Sandbox Code Playgroud)

主机 /etc/subuid上看起来/etc/subgid像这样(两者):

andrej:100000:65536
dockremap:165536:65536
Run Code Online (Sandbox Code Playgroud)

Apparmor 正在 Ubuntu 主机上运行,​​状态如下(仅docker-default配置文件):

andrej@machine:/etc/apparmor.d$ sudo aa-status 
apparmor module is loaded.
38 profiles are loaded.
36 profiles are in enforce mode.
   /sbin/dhclient
   /snap/core/8268/usr/lib/snapd/snap-confine
   /snap/core/8268/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/bin/evince
   /usr/bin/evince-previewer
   /usr/bin/evince-previewer//sanitized_helper
   /usr/bin/evince-thumbnailer
   /usr/bin/evince//sanitized_helper
   /usr/bin/man
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/NetworkManager/nm-dhcp-helper
   /usr/lib/connman/scripts/dhclient-script
   /usr/lib/cups/backend/cups-pdf
   /usr/lib/snapd/snap-confine
   /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
   /usr/sbin/cups-browsed
   /usr/sbin/cupsd
   /usr/sbin/cupsd//third_party
   /usr/sbin/ippusbxd
   /usr/sbin/tcpdump
   docker-default
   libreoffice-senddoc
   libreoffice-soffice//gpg
   libreoffice-xpdfimport
   man_filter
   man_groff
   snap-update-ns.core
   snap-update-ns.gnome-calculator
   snap-update-ns.gnome-characters
   snap-update-ns.gnome-logs
   snap-update-ns.gnome-system-monitor
   snap.core.hook.configure
   snap.gnome-calculator.gnome-calculator
   snap.gnome-characters.gnome-characters
   snap.gnome-logs.gnome-logs
   snap.gnome-system-monitor.gnome-system-monitor
2 profiles are in complain mode.
   libreoffice-oopslash
   libreoffice-soffice
17 processes have profiles defined.
14 processes are in enforce mode.
   docker-default (1101) 
   docker-default (1102) 
   docker-default (1111) 
   docker-default (1600) 
   docker-default (1728) 
   docker-default (1729) 
   docker-default (1730) 
   docker-default (1731) 
   docker-default (1732) 
   docker-default (1798) 
   docker-default (1799) 
   docker-default (1800) 
   docker-default (1801) 
   docker-default (1802) 
0 processes are in complain mode.
3 processes are unconfined but have a profile defined.
   /sbin/dhclient (491) 
   /usr/sbin/cups-browsed (431) 
   /usr/sbin/cupsd (402)
Run Code Online (Sandbox Code Playgroud)

Selinux 似乎被禁用,因为没有/etc/selinux/config文件且getenfoce命令sestatus不可用。

另外,su andrej以 root 身份运行命令(其中 andrej 是容器中的非特权用户)会出现错误su: cannot set groups: Operation not permitted

Nik*_*din 6

不确定 Docker,但在 runc 容器中的 kubernetes 中对我有帮助:

  1. 获取容器的 root 访问权限列出所有容器
minikube ssh docker container ls
Run Code Online (Sandbox Code Playgroud)

连接到您的容器(使用上一个命令中的容器 ID,而不是44a7ad70d45b):

minikube ssh "docker container exec -it -u 0 44a7ad70d45b /bin/bash"
Run Code Online (Sandbox Code Playgroud)
  1. 作为root内部容器:
root@mycontainer:/# apt-config dump | grep Sandbox::User
APT::Sandbox::User "_apt";

root@mycontainer:/# cat <<EOF > /etc/apt/apt.conf.d/sandbox-disable
APT::Sandbox::User "root";
EOF
Run Code Online (Sandbox Code Playgroud)

确保结果是有效的:

root@mycontainer:/# apt-config dump | grep Sandbox::User
APT::Sandbox::User "root";
Run Code Online (Sandbox Code Playgroud)
  1. apt update并看到
Get:1 http://archive.ubuntu.com/ubuntu hirsute InRelease [269 kB]
Get:2 http://apt.postgresql.org/pub/repos/apt hirsute-pgdg InRelease [16.7 kB]
...
Run Code Online (Sandbox Code Playgroud)

小智 2

在以 Manjaro 作为主机系统的无根 Podman 中运行基于 Ubuntu-16.04 的容器时,我遇到了完全相同的问题。

TL;DR:尝试重建图像。这对我的情况有帮助。

问题可能是 Docker 无法将/var/lib/apt/lists/package目录的所有者 (_apt) UID 映射到主机的 UID 命名空间。/etc/sub{u,g}id如果在拉取/构建映像后对其进行修改,则可能会发生这种情况。

这只是一个猜测,但原因可能是 Docker 首先对镜像执行 UID 映射,然后修改/etc/sub{u,g}id导致不同的 UID 映射规则 -> Docker 无法映射容器内的用户。

您可以通过运行docker inspect <image name>并检查“LowerDir”部分中的目录来验证这一点。其中之一应该存在一个var/lib/apt/lists/packageUID 超出为 .dockremap 指定的范围的目录/etc/sub{u,g}id。podman 的确切命令是,podman image inspect <image name> --format '{{.GraphDriver.Data.LowerDir}}'但 Podman 和 Docker 的 CLI API 应该相同,因此相同的命令也应该适用于 Docker。

例如,我有一个条目tlammi:100000:65536/etc/sub{u,g}id但由主机端的/var/lib/apt/lists/packageUID 拥有165538,该条目超出了范围[100000, 100000 + 65536)

归档时间:

查看次数:

35150 次

最近记录:

4 年 前
相关归档
如何修复“OperationalError: (psycopg2.OperationalError) 服务器意外关闭了连接” 17
java.lang.ClassNotFoundException sun.misc.GC 11
如何处理 Docker 中的状态“退出 0” 8
Docker非本地数据库访问速度慢 7
为什么我在构建 docker 镜像时遇到此错误? 7
无法连接到 AWS EC2 实例中的 Docker PostgreSQL 容器 6
Docker 统计信息显示内存使用量小于 top 命令的输出 6
App Engine 部署:获取应用程序的权限错误 5
IntelliJ IDEA 2020.1.1 无法启动 3
如何在Windows中保留mac os可执行位? 1
难疑归档
如何从JavaScript中删除数组中的特定元素? 7655
如何列出目录的所有文件? 3474
没有jQuery的$(document).ready等价 1925
每个'循环的Java'如何工作? 1446
如何找出哪个DOM元素具有焦点? 1234
有没有办法从APK文件中获取源代码? 1218
Android SDK安装找不到JDK 1185
如何将包含文件的文件夹复制到Unix/Linux中的另一个文件夹? 1145
jQuery从下拉列表中获取选定的选项 1067
自定义HTTP标头:命名约定 1051