1、系统环境:
root@system-virtual-machine:/home/system# uname -a
Linux system-virtual-machine 5.0.0-13-generic #14-Ubuntu SMP Mon Apr 15 14:59:14 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
root@system-virtual-machine:/home/system# docker --version
Docker version 18.09.5, build e8ff056
默认DOCKER容器的ROOT用户被映射为主机的ROOT用户
root@system-virtual-machine:/home/system# docker run -itd --name test01 -v /tmp:/tmp nginx /bin/bash
9a7611e49dc739d6afd4dd9baae0c9fc14db00b8564322265b60e6e4496172a9
root@system-virtual-machine:/home/system# docker exec -it test01 /bin/bash
root@9a7611e49dc7:/# cd /tmp/
root@9a7611e49dc7:/tmp# echo "11" >> 1.txt
root@9a7611e49dc7:/tmp# exit
exit
root@system-virtual-machine:/home/system# ll /tmp/
总用量 84
drwxrwxrwt 19 root root 4096 5月 21 20:00 ./
drwxr-xr-x 20 root root 4096 5月 21 17:07 ../
-rw-r--r-- 1 root root 3 5月 21 20:00 1.txt
此时容器的ROOT用户即为操作系统ROOT用户,系统权限无限大
2、配置用户隔离,将容器的ROOT用户映射为操作系统的UID和GID大于100000的从属ID
修改/usr/lib/systemd/system/docker.service,添加对/etc/default/docker文件DOCKER_OPTS的引用
system@system-virtual-machine:~$ grep -v '^#' /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
BindsTo=containerd.service
After=network-online.target firewalld.service containerd.service
Wants=network-online.target
Requires=docker.socket
[Service]
Type=notify
EnvironmentFile=-/etc/default/docker
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock $DOCKER_OPTS
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=0
RestartSec=2
Restart=always
StartLimitBurst=3
StartLimitInterval=60s
LimitNOFILE=infinity
LimitNPROC=infinity
LimitCORE=infinity
TasksMax=infinity
Delegate=yes
KillMode=process
[Install]
WantedBy=multi-user.target
编辑/etc/default/docker,添加:
DOCKER_OPTS="--userns-remap=default"
或
DOCKER_OPTS="--userns-remap=自定义的用户名"
此时会在/etc/subuid和/etc/subgid添加用户的映射ID
system@system-virtual-machine:~$ cat /etc/subuid /etc/subgid
system:100000:65536
dockremap:165536:65536
apps:231072:65536
system:100000:65536
dockremap:165536:65536
apps:231072:65536
如dockremap这一行表示,从操作系统UID为165536用户开始直到UID为165536+65536映射容器的UID0至65535,0为容器的ROOT用户,/etc/default/docker文件这一行DOCKER_OPTS="--userns-remap=default"指定了引用 /etc/subuid,/etc/subgid文件的哪个用户,用户组,default一般指dockremap
3、为容器的ROOT用户指定权限
root@system-virtual-machine:/home/system# mkdir -p /dockertest/dir1
root@system-virtual-machine:/home/system# cat /etc/default/docker
DOCKER_OPTS="--userns-remap=apps"
root@system-virtual-machine:/home/system# cat /etc/subuid
system:100000:65536
dockremap:165536:65536
apps:231072:65536
root@system-virtual-machine:/home/system# docker run -itd --name test06 -v /dockertest/dir1:/tmp nginx
42697b7f491f32582cba785ab35e646816189ce5d4a295e52bb7231b5e8d1d75
root@system-virtual-machine:/home/system# docker exec -it test06 /bin/bash
root@42697b7f491f:/# cd /tmp/
root@42697b7f491f:/tmp# ls
root@42697b7f491f:/tmp# echo "test" > 1.txt
bash: 1.txt: Permission denied
root@42697b7f491f:/tmp# whoami
root
此时权限拒绝
为用户显式赋权限
root@system-virtual-machine:/home/system# chown -R 231072 /dockertest/dir1/
root@system-virtual-machine:/home/system# ll /dockertest/dir1/
总用量 8
drwxr-xr-x 2 231072 root 4096 5月 22 08:32 ./
drwxr-xr-x 3 root root 4096 5月 22 08:32 ../
root@system-virtual-machine:/home/system# docker exec -it test06 /bin/bash
root@42697b7f491f:/# cd /tmp/
root@42697b7f491f:/tmp# echo "test" > 1.txt
root@42697b7f491f:/tmp# exit
此时正常写入,文件的创建用户即为主机映射到容器ROOT的用户
system@system-virtual-machine:~$ ll /dockertest/dir1/1.txt
-rw-r--r-- 1 231072 231072 5 5月 22 08:37 /dockertest/dir1/1.txt