开发容器可隔离Visual Studio代码工作区

The Remote Containers extension lets you use a Docker container as a full-featured development environment. But what happens if you want to run a Docker container within a Remote Container?

Remote Containers扩展使您可以将Docker容器用作功能齐全的开发环境。 但是，如果您想在远程容器中运行Docker容器，会发生什么？

Remote Containters allow you to isolate each project’s development environment. A containerized development environment has the following benefits:

远程容器允许您隔离每个项目的开发环境。 容器化的开发环境具有以下优点：

• Reproducibility: Each developer has exactly the same workspace

  重现性：每个开发人员都有完全相同的工作空间

• Isolation: Workspaces and their dependencies are isolated from each other

  隔离：工作空间及其依赖性相互隔离

• Security: Prevents malicious dependencies from installing malware or reading your files.

  安全性：防止 安装恶意软件或读取文件的恶意依赖关系。

Each project has a .devcontainer folder. The .devcontainer folder contains the Dockerfile and devcontainer.json configuration for your development environment.

每个项目都有一个.devcontainer文件夹。 .devcontainer文件夹包含用于您的开发环境的Dockerfile和devcontainer.json配置。

Setting up a development environment using these files is easy and well-documented. Getting Docker to work securely within such an environment however, is not documented at all.

使用这些文件来设置开发环境非常容易并且有据可查。 但是，根本没有记录到让Docker在这样的环境中安全地工作。

要求 (Requirements)

• Visual Studio Code

  Visual Studio程式码

• Remote-Containers ext install ms-vscode-remote.remote-containers

  远程容器 ext install ms-vscode-remote.remote-containers

• Docker

  码头工人

快速开始 (Quick Start)

Let’s create a sample devcontainer to get a feeling of development containers. You can skip the Quick Start section if you are already familiar with development containers.

让我们创建一个示例devcontainer来获得开发容器的感觉。 如果您已经熟悉开发容器，则可以跳过“快速入门”部分。

To quickly get started:

快速入门：

• Press ctrl+shift+P to open the command pallet

  按ctrl+shift+P打开命令栏

• Type Remote-Containers: Try a Sample... (If this is not an option, make sure you close your container with ctrl+K F )

  键入Remote-Containers: Try a Sample... (如果不是这样，请确保使用ctrl+KF关闭容器)

Try a sample container

尝试一个样品容器

• Now choose the language you would like to try out, we will try Go for the Go programming environment. You can select a different environment.

  现在选择您想尝试的语言，我们将在Go编程环境中尝试Go 。 您可以选择其他环境。

Select the Go programming environment

选择Go编程环境

And there you go, you’ve created a project with a .devcontainer folder. Everything you do in here is now isolated from the rest of your system. If you run malicious code, it will be very difficult for that code to do nasty stuff on your system or steal your credentials.

到这里，您已经创建了一个带有.devcontainer文件夹的项目。 现在，您在此处所做的一切都与系统的其余部分隔离了。 如果运行恶意代码，该代码将很难在系统上执行令人讨厌的工作或窃取您的凭据。

As you can see the .devcontainer folder contains two files:

如您所见，.devcontainer文件夹包含两个文件：

• devcontainer.json: The configuration file that declares which extensions you want, which ports you wish to forward…

  devcontainer.json ：配置文件，用于声明所需的扩展名，要转发的端口…

• Dockerfile: The Dockerfile for your development container, you can declare your dependencies (like the go development tools) in here.

  Dockerfile ：开发容器的Dockerfile，您可以在此处声明依赖项(如go开发工具)。

If you wish to open an existing project in a development container, make sure a .devcontainer folder exists, press ctrl+shift+P and type remote-containers: Open Folder In Container....

如果要在开发容器中打开现有项目，请确保存在.devcontainer文件夹，按ctrl+shift+P并键入remote-containers: Open Folder In Container...

If you want to use a sample .devcontainer folder in an existing project, press ctrl+shift+P and type remote-containers: Add Development Container Configuration Files... . Then you can select your programming language.

如果要在现有项目中使用示例.devcontainer文件夹，请按ctrl+shift+P并键入remote-containers: Add Development Container Configuration Files... 然后，您可以选择您的编程语言。

在开发容器中运行Docker (Run Docker in a Development Container)

Great, you’ve got the basics of how development containers work. You declare a Dockerfile. This Dockerfile defines your development environment.

太好了，您已经掌握了开发容器的工作原理。 您声明一个Dockerfile。 该Dockerfile定义了您的开发环境。

But even if you type sudo apt install docker.io within your container, you notice that the docker daemon is not running:

但是即使您在容器中键入sudo apt install docker.io ，您sudo apt install docker.io注意到sudo apt install docker.io守护程序未运行：

$ sudo docker run nginx
docker: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?.

This is because, by default, you cannot create a Docker environment in a Docker container, due to the way containers work (the daemon needs kernel capabilities).

这是因为默认情况下，由于容器的工作方式(守护程序需要内核功能)，您无法在Docker容器中创建Docker环境。

You now have two options:

您现在有两个选择：

• You can connect your the Docker daemon that is running on your host. This is often recommended but is not secure at all. From your development environment, you can easily compromise the whole host system this way. This is thus not isolated.

  您可以连接在主机上运行的Docker守护程序。 通常建议这样做，但并不安全 。 在开发环境中，您可以通过这种方式轻松破坏整个主机系统。 因此这不是孤立的。

• You can run docker-in-docker: This creates a docker daemon within a docker container
  您可以运行docker-in-docker：这会在docker容器中创建docker守护程序

Back in the day docker-in-docker required a container to be ran as privileged (give it all kernel privileges) and as root (allow the user to use all kernel privileges), this of course made escalation out of the container trivial.

早在docker-in-docker要求容器以privileged (授予所有内核特权)和root(允许用户使用所有内核特权)的身份运行时，这当然使升级容器变得微不足道。

Nowadays, we can run docker as a rootless user. This is what we will do. Your container is still ran as privileged (there’s no way around that), but the user no longer has these privileges, so a malicious dependency can’t exploit any of these privileges.

如今，我们可以以无根用户身份运行docker。 这就是我们要做的。 您的容器仍以privileged运行( privileged )，但是用户不再拥有这些特权，因此恶意依赖项无法利用这些特权。

设置无根Docker-in-Docker开发容器 (Setting up a rootless Docker-in-Docker development container)

To setup Docker-in-Docker (DinD) you create a privileged Dev Container with a rootless user. The container has to be privileged but because the user is rootless, the changes of this being exploited are small.

要设置Docker-in-Docker (DinD)，您需要创建一个具有无根用户权限的特权开发容器。 容器必须具有特权，但是由于用户是无根用户，因此被利用的更改很小。

Let’s get started with setting up a sample container. Note that the dind-rootless image is an Alpine image. You thus have to use the apk package manager.

让我们开始设置示例容器。 请注意， 无地物无根图像是Alpine图像。 因此，您必须使用apk软件包管理器 。

Edit the .devcontainers/Dockerfilefile for your rootless Docker-in-Docker dev container:

为您的无根Docker-in-Docker开发容器编辑 .devcontainers/Dockerfile 文件 ：

# There may be a newer version
FROM docker:19.03.12-dind-rootless# Go into root
USER root# Install your dependencies, this can be changed
RUN apk add git bash curl make vim go# Set the user back to the rootless user
USER rootless# Setup docker
ENV DOCKER_HOST=unix:///var/run/user/1000/docker.sock

Now, all though this is ran as a rootless user, we still need to make the container privileged.

现在，尽管这是以无根用户身份运行的，但我们仍然需要使容器具有特权。

Edit the .devcontainers/devcontainer.json file:

编辑 .devcontainers/devcontainer.json 文件 ：

{
  "name": "Docker",
  "dockerFile": "Dockerfile","runArgs": [ "--privileged" ],
  "settings": {
    "terminal.integrated.shell.linux": "/bin/bash",
    "go.gopath": "~/go"
  },
  "extensions": [
    "golang.go",
  ],"postCreateCommand": "dockerd-entrypoint.sh --experimental &","remoteUser": "rootless"
}

Important changes:

重要更改：

• “runArgs”: [ “ — privileged” ] : This is always required for docker in docker

  “runArgs”: [ “ — privileged” ] ： “runArgs”: [ “ — privileged” ]始终需“runArgs”: [ “ — privileged” ]

• “postCreateCommand”: “dockerd-entrypoint.sh — experimental &”, : Start the rootless docker daemon when you open the container

  “postCreateCommand”: “dockerd-entrypoint.sh — experimental &”, ：打开容器时启动无根docker守护程序

• “remoteUser”: “rootless” : Ensures the container is opened as the rootless user

  “remoteUser”: “rootless” ：确保以无根用户身份打开容器

Give it a shot. Spin up the dev container and type: docker run -it ubuntu . This should put you into a full-fletched ubuntu container. Interestingly enough you do have root privileges inside of this container. By binding to your workdir you can thus do actions that would typically require root privileges.

试一试。 旋转开发容器并输入： docker run -it ubuntu 。 这应该将您放入完整的ubuntu容器中。 有趣的是，您确实在此容器内具有root特权。 通过绑定到您的工作目录，您可以执行通常需要root特权的操作。

There you go. When you now open this project in a Dev Container you can run containers without any problem, and they will not appear in your guest daemon!

妳去 现在，当您在开发容器中打开该项目时，您可以毫无问题地运行容器，并且它们不会出现在来宾守护程序中！

翻译自: https://medium.com/@toonsev/dev-containers-isolate-your-visual-studio-code-workspaces-a2fed6c60606