每次运行时将任意目录设置为 root 的 chroot 进程监狱
[英]chroot process jail with arbitrary directory set as root on each run
问题描述
I am trying to run a command that needs to be limited to one directory and is executed in a shell function from a web application.
我正在尝试运行一个需要限制在一个目录中并在 web 应用程序中的 shell function 中执行的命令。
My goal is to run that program but limit it to one directory.我的目标是运行该程序,但将其限制在一个目录中。 This directory will change each time I want to run the program and multiple instances need to be able to run on different directories at the same time.每次我想运行程序时,这个目录都会改变,并且多个实例需要能够同时在不同的目录上运行。
I have looked at chroot and it seems that a file system needs to be explicitly created each time.我看过 chroot ,似乎每次都需要显式创建一个文件系统。 I am looking for a more temporary solution that accepts the desired root directory and dose not require me to copy files all over the place or do weird mounting of things.我正在寻找一个更临时的解决方案,它接受所需的根目录并且不需要我在整个地方复制文件或做奇怪的东西安装。
1 个解决方案
解决方案1
-1 2019-11-10 06:31:50
What you most likely want is containers .您最可能想要的是容器。
A container takes milliseconds to start, and creates what is basically a complete chroot jail every time it runs.一个容器需要几毫秒的时间才能启动,并且每次运行时都会创建一个基本上是完整的 chroot 监狱。 A command like docker run --rm --volume /var/chroot/jail/whatever:/workdir ubuntu stat /workdir will run stat on the chroot jail directory, with all environment being the latest Ubuntu release.像docker run --rm --volume /var/chroot/jail/whatever:/workdir ubuntu stat /workdir的命令将在 chroot 监狱目录中运行stat ,所有环境都是最新的 Z3D945423FZ58E9496C642C 版本。6 It will then scrap the chroot jail.然后它将废弃 chroot 监狱。 Running it again will create a whole new jail.再次运行它将创建一个全新的监狱。
You will need to build your web application as a docker image on top of whatever jail you need (Ubuntu, CentOS etc.), which means adjusting your build system to create such an image.您需要在所需的任何监狱(Ubuntu、CentOS 等)之上将 web 应用程序构建为 docker 映像,这意味着调整您的构建系统以创建这样的映像
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.