在 Openshift 上的 docker 中运行 docker 是否安全?
[英]Is it safe to run docker in docker on Openshift?
问题描述
I built Docker image on server that can run CI-CD for Jenkins.
我在可以为 Jenkins 运行 CI-CD 的服务器上构建了 Docker 映像。 Because some builds use Docker, I installed Docker inside my image, and in order to allow the inside Docker to run, I had to give it --privilege .因为有些构建使用 Docker,所以我在我的镜像中安装了 Docker,为了允许内部 Docker 运行,我必须给它--privilege 。
All works good, but I would like to run the docker in docker, on Openshift (or Kubernetes).一切正常,但我想在 Openshift(或 Kubernetes)上的 docker 中运行 docker。 The problem is with getting the --privilege permissions.问题在于获得--privilege权限。
Is running privilege container on Openshift is dangerous, and if so why and how much?在 Openshift 上运行特权容器是否危险,如果是,为什么以及危险程度如何?
2 个解决方案
解决方案1
1 2018-11-11 21:58:37
A privileged container can reboot the host, replace the host's kernel, access arbitrary host devices (like the raw disk device), and reconfigure the host's network stack, among other things .特权容器可以重新启动主机、替换主机的内核、访问任意主机设备(如原始磁盘设备)以及重新配置主机的网络堆栈等。 I'd consider it extremely dangerous, and not really any safer than running a process as root on the host.我认为它非常危险,并不比在主机上以 root 身份运行进程更安全。
I'd suggest that using --privileged at all is probably a mistake.我建议完全使用--privileged可能是一个错误。 If you really need a process to administer the host, you should run it directly (as root) on the host and not inside an isolation layer that blocks the things it's trying to do.如果你真的需要一个进程来管理主机,你应该直接(以 root 身份)在主机上运行它,而不是在阻止它试图做的事情的隔离层内。 There are some limited escalated-privilege things that are useful, but if eg your container needs to mlock (2) you should --cap-add IPC_LOCK for the specific privilege you need, instead of opening up the whole world.有一些有限的提升权限的东西是有用的,但是如果例如您的容器需要mlock (2),您应该--cap-add IPC_LOCK以获得您需要的特定权限,而不是打开整个世界。
(My understanding is still that trying to run Docker inside Docker is generally considered a mistake and using the host's Docker daemon is preferable. Of course, this also gives unlimited control over the host...) (我的理解仍然是,尝试在 Docker 内部运行 Docker通常被认为是错误的,最好使用主机的 Docker 守护进程。当然,这也提供了对主机的无限控制......)
解决方案2
0 2021-03-25 20:20:53
In short, the answer is no, it's not safe.简而言之,答案是否定的,它不安全。 Docker-in-Docker in particular is far from safe due to potential memory and file system corruption, and even mounting the host's docker socket is unsafe in effectively any environment as it effectively gives the build pipeline root privileges.由于潜在的内存和文件系统损坏,Docker-in-Docker 尤其远非安全,甚至挂载主机的 docker socket 在任何环境中都是不安全的,因为它有效地赋予了构建管道 root 权限。 This is why tools like Buildah and Kaniko were made, as well as build images like S2I.这就是为什么要制作Buildah和Kaniko 之类的工具,以及构建 S2I 之类的图像的原因。
Buildah in particular is Red Hat's own tool for building inside containers but as of now I believe they still can't run completely privilege-less.特别是 Buildah 是 Red Hat 自己的用于在容器内构建的工具,但截至目前,我相信它们仍然无法完全无特权地运行。
Additionally, on Openshift 4, you cannot run Docker-in-Docker at all since the runtime was changed to CRI-O.此外,在 Openshift 4 上,您根本无法运行 Docker-in-Docker,因为运行时已更改为 CRI-O。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.