当容器以非特权模式运行时,很多操作都没有权限执行,
[root@d3803eb23a14 /]# ntpdate hshh.org asia.pool.ntp.org
22 Nov 07:12:43 ntpdate[78]: Can't adjust the time of day: Operation not permitted
解决办法之一就是开启特权模式--privileged,但是这样一来容器里权限就过大,安全隐患也大,因此我们可以通过--cap-add来增加一些比较细致的权限,比如对于时间修改,就可以增加SYS_TIME权限,
[root@CentOS-7-2 /home]# docker run -it --cap-add=SYS_TIME --name test 165931a63fea /bin/bash
[root@6659a1445222 /]# ntpdate hshh.org asia.pool.ntp.org
22 Nov 07:15:03 ntpdate[64]: adjust time server 211.19.59.28 offset 0.032864 sec
之前遇到过ssh连接容器后闪退的问题(Docker容器内运行sshd进程,远程登录闪退(Exit status 254)),也是因为权限问题,问题根因是因为pam模块里设置ulimit时权限不够,导致鉴权失败。这个问题除了特权模式外,同样可以通过添加--cap-add添加CAP_SYS_RESOURCE权限得到解决。
更多权限可以通过man capabilities,查看用户手册,
......
CAP_SYS_PTRACE
Trace arbitrary processes using ptrace(2); apply get_robust_list(2) to
arbitrary processes; inspect processes using kcmp(2).
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
* access /proc/kcore;
* employ the FIBMAP ioctl(2) operation;
* open devices for accessing x86 model-specific registers (MSRs, see
msr(4))
* update /proc/sys/vm/mmap_min_addr;
* create memory mappings at addresses below the value specified by
/proc/sys/vm/mmap_min_addr;
* map files in /proc/bus/pci;
* open /dev/mem and /dev/kmem;
* perform various SCSI device commands;
* perform certain operations on hpsa(4) and cciss(4) devices;
* perform a range of device-specific operations on other devices.
CAP_SYS_RESOURCE
* Use reserved space on ext2 file systems;
* make ioctl(2) calls controlling ext3 journaling;
* override disk quota limits;
* increase resource limits (see setrlimit(2));
* override RLIMIT_NPROC resource limit;
* override maximum number of consoles on console allocation;
* override maximum number of keymaps;
* allow more than 64hz interrupts from the real-time clock;
* raise msg_qbytes limit for a System V message queue above the limit in
/proc/sys/kernel/msgmnb (see msgop(2) and msgctl(2));
* override the /proc/sys/fs/pipe-size-max limit when setting the capacity
of a pipe using the F_SETPIPE_SZ fcntl(2) command.
* use F_SETPIPE_SZ to increase the capacity of a pipe above the limit spec‐
ified by /proc/sys/fs/pipe-max-size;
* override /proc/sys/fs/mqueue/queues_max limit when creating POSIX message
queues (see mq_overview(7));
* employ prctl(2) PR_SET_MM operation;
* set /proc/PID/oom_score_adj to a value lower than the value last set by a
process with CAP_SYS_RESOURCE.
CAP_SYS_TIME
Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time
(hardware) clock.