如何解决exceptions.OSError:[Errno 1]不允许操作(泊坞窗容器)?
[英]How to resolve exceptions.OSError: [Errno 1] Operation not permitted (docker container)?
问题描述
I am trying to scan BLE devices with bluepy . 
我正在尝试使用bluepy扫描BLE设备。 My scan.py code is -- 我的scan.py代码是-
from bluepy.btle import Scanner, DefaultDelegate
class ScanDelegate(DefaultDelegate):
def __init__(self):
DefaultDelegate.__init__(self)
def handleDiscovery(self, dev, isNewDev, isNewData):
if isNewDev:
print "Discovered device", dev.addr
elif isNewData:
print "Received new data from", dev.addr
# prepare scanner
scanner = Scanner().withDelegate(ScanDelegate())
# scan for 5 seconds
devices = scanner.scan(5.0)
for dev in devices:
print "Device %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi)
for (adtype, desc, value) in dev.getScanData():
print " %s = %s" % (desc, value)
According to the documentation (mentioned at the very last as Note) -- 根据文档(最后提到为注释)-
(1) LE scanning must be run as root
That means we need to run the script with sudo . 这意味着我们需要使用sudo运行脚本。 I run it as -- 我以-
sudo python scan.py
Basically bluepy-helper requires the sudo to scan. 基本上, bluepy-helper需要sudo进行扫描。 It is required set the capabilities for blupe-helper to run the code without sudo . 需要设置blupe-helper的功能来运行不带sudo的代码。 According to the solution , I did -- 根据解决方案 ,我做到了-
sudo setcap 'cap_net_raw,cap_net_admin+eip' /usr/local/lib/python2.7/site-packages/bluepy/bluepy-helper
From the Terminal, the scan code is now run without sudo like -- 从终端开始,扫描代码现在无需sudo运行-
python scan.py
Finally, I made a Dockerfile -- 最后,我制作了一个Dockerfile-
FROM arm32v7/python:2.7.15-jessie
WORKDIR /usr/app/gfi_ble
COPY . /usr/app/gfi_ble
RUN chmod 755 ./setcap_for_bluepy_helper.sh
RUN pip install -r requirements.txt
CMD ["./setcap_for_bluepy_helper.sh", "--", "python", "src/scan.py"]
The content of the setcap_for_bluepy_helper.sh is -- setcap_for_bluepy_helper.sh的内容是-
#!/bin/bash
cmd="$@"
>&2 setcap 'cap_net_raw,cap_net_admin+eip' /usr/local/lib/python2.7/site-packages/bluepy/bluepy-helper
exec $cmd
The image is created successfully but when I run the container I am getting the error like -- 映像已成功创建,但是当我运行容器时,出现了如下错误:
Creating con_gfi_ble ... done
Attaching to con_gfi_ble
con_gfi_ble | 2019-01-12 23:06:24+0000 [-] Unhandled Error
con_gfi_ble | Traceback (most recent call last):
con_gfi_ble | File "/usr/app/gfi_ble/src/scan.py", line 17, in new_devices
con_gfi_ble | devices = scanner.scan(5.0)
con_gfi_ble | File "/usr/local/lib/python2.7/site-packages/bluepy/btle.py", line 852, in scan
con_gfi_ble | self.start(passive=passive)
con_gfi_ble | File "/usr/local/lib/python2.7/site-packages/bluepy/btle.py", line 789, in start
con_gfi_ble | self._startHelper(iface=self.iface)
con_gfi_ble | File "/usr/local/lib/python2.7/site-packages/bluepy/btle.py", line 284, in _startHelper
con_gfi_ble | preexec_fn = preexec_function)
con_gfi_ble | File "/usr/local/lib/python2.7/subprocess.py", line 394, in __init__
con_gfi_ble | errread, errwrite)
con_gfi_ble | File "/usr/local/lib/python2.7/subprocess.py", line 1047, in _execute_child
con_gfi_ble | raise child_exception
con_gfi_ble | exceptions.OSError: [Errno 1] Operation not permitted
con_gfi_ble |
Question: What does exceptions.OSError: [Errno 1] Operation not permitted? 问题: exceptions.OSError:[Errno 1]不允许什么操作?
My code is fine when I run it from Terminal. 当我从Terminal运行它时,我的代码很好。 What's wrong with the container? 容器怎么了? Any idea! 任何想法!
1 个解决方案
解决方案1
2 已采纳 2019-01-13 17:00:03
Docker containers run with reduced capabilities. Docker容器以降低的功能运行。 This prevents root inside a container from escaping the container by running kernel commands without namespaces, and accessing parts of the host outside of the container, like raw network interfaces or physical devices. 这样可以通过运行不带名称空间的内核命令并访问容器外部主机的某些部分(例如原始网络接口或物理设备)来防止容器内部的根逃脱容器。 You need to add capabilities to the container externally if you need them, but understand this reduces the security provided by docker's default settings. 如果需要,您需要在外部向容器添加功能,但是了解这会降低docker默认设置所提供的安全性。
From docker run , this looks like: 从docker run ,它看起来像:
docker run --cap-add=NET_ADMIN --cap-add=NET_RAW ...
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
In a compose file, this looks like: 在撰写文件中,如下所示:
version: '2'
services:
app:
image: your_image
cap_add:
- NET_ADMIN
- NET_RAW
Ref: https://docs.docker.com/compose/compose-file/ 参考: https : //docs.docker.com/compose/compose-file/
This will not work with swarm mode. 这不适用于群体模式。 Work is ongoing for adding the ability to run commands with added capabilities within swarm mode. 在群体模式下,添加功能来运行命令的工作正在进行中。 There are ugly workarounds if you need this. 有丑陋的解决方法,如果您需要此。
Note that you should not be running sudo inside of a container. 请注意,您不应在容器内部运行sudo 。 Doing so means everything has access to promote itself to root and defeats the purpose of running anything as a user. 这样做意味着一切都可以提升自己的生根,并破坏了以用户身份运行任何东西的目的。 Instead you should start the container as root and drop to a regular user as soon as possible, which is a one way operation. 相反,您应该以root用户身份启动容器,并尽快移交给普通用户,这是一种单向操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.