在不受信任的主机上运行的Docker容器
[英]docker container running on untrusted host machine
问题描述
I know that docker containers which are running on a host machine have root privileges. 
我知道在主机上运行的Docker容器具有root特权。
I want to start a container using HTTP requests from a web app but I don't trust the host machine which is running docker. 我想使用来自Web应用程序的HTTP requests来启动容器,但我不信任运行docker的主机。
Is it possible to make my container as a "black-box" so I can prevent even the root in the host machine from accessing it? 是否可以将我的容器设置为"black-box"以便甚至可以阻止主机中的根访问它?
What I want is to simply run it? 我想要的只是运行它?
Are there any other alternatives instead of docker that I can use to achieve this? 还有其他替代docker的替代方法可以用来实现这一目标吗?
1 个解决方案
解决方案1
2 2018-02-01 13:51:18
I know that docker containers which are running on a host machine have root privileges.
This is mostly incorrect. 这主要是不正确的。 A docker container has root access only on stuff visible to the container; Docker容器仅对容器可见的内容具有root用户访问权限; that is directories explicitly mounted onto the container. 即目录已显式安装到容器上。
Is it possible to make my container as a "black-box" so I can prevent even the root in the host machine from accessing it?
No. The root user of the machine has access to everything on the machine. 否。计算机的root用户可以访问计算机上的所有内容。 There is no way to prevent the root user from having access to the container. 无法阻止root用户访问该容器。
Are there any other alternatives instead of docker that I can use to achieve this?
You are going to deploy the application in some form on the host, which will result in a runnable process. 您将以某种形式在主机上部署应用程序,这将导致可运行的过程。 The root user will always have access and control over this process. root用户将始终可以访问和控制此过程。 So you which ever approach you take, there is no way to prevent the root user from having access to the application process. 因此,无论采用哪种方法,都无法阻止root用户访问应用程序进程。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.