堆栈内存溢出
  简体   繁体   English

如何识别 runc 容器是否以特权身份运行?

[英]How do I identify if a runc container is running as privileged?

 原文  2020-05-25 02:40:42       docker/ containerd/ runc/ cri-o

问题描述

Regardless of docker/crio/containerd starting the container, is there a way to understand if the runc container is running as privileged one?不管 docker/crio/containerd 启动容器,有没有办法了解 runc 容器是否作为特权容器运行?

docker inspect does show privilegedness but I want to find out at the runc layer. docker inspect确实显示了特权,但我想在 runc 层找出答案。

1 个解决方案

解决方案1
 3  2020-05-29 01:03:24

The state and the configuration of every runc container may be obtained from the $ROOT_DIR/$CONTAINER_ID/state.json file, where $ROOT_DIR is a root directory for a group of containers (usually managed by a specific higher-level runtime like Docker). state 和每个runc容器的配置可以从$ROOT_DIR/$CONTAINER_ID/state.json文件中获取,其中$ROOT_DIR是一组容器的根目录(通常由特定的更高级别的运行时管理,如 Docker) . For example, on my machine Docker uses the root dir /run/docker/runtime-runc/moby , thus, I can find the runc -level configuration of some container as follows:例如,在我的机器上 Docker 使用根目录/run/docker/runtime-runc/moby ,因此,我可以找到一些容器的runc级配置,如下所示:

# jq .config /run/docker/runtime-runc/moby/$CONTAINER_ID/state.json
{
  "no_pivot_root": false,
  "parent_death_signal": 0,
  "rootfs": "/var/lib/docker/overlay2/<CONTAINER_ID>/merged",
  "readonlyfs": false,
...
}

You can easily find out that this file does not contain fields like privileged .您可以很容易地发现该文件不包含privileged之类的字段。 A quick search through runc source code shows that it does not have a notion of a privileged container, ie this is an abstraction from the higher levels.runc源代码的快速搜索表明它没有特权容器的概念,即这是来自更高级别的抽象。 This means, in turn, that there is no simple way to determine, whether the container was started as a privileged one or not, from the runc level.反过来,这意味着没有简单的方法可以从runc级别确定容器是否作为特权容器启动。

However, it is still possible to say whether the container has the same privileges as those which are granted by --privileged argument at the Docker level: the state.json file contains a list of capabilities, granted to the container;但是,仍然可以说容器是否具有与--privileged参数在 Docker 级别授予的权限相同的权限state.json文件包含授予容器的功能列表a list of device nodes, available to the container;容器可用的设备节点列表; seccomp mode and so on. seccomp 模式等。 From practical standpoint, it is unwise to waste your time on checking all these settings, so it is better just to look at docker inspect .从实际的角度来看,浪费时间检查所有这些设置是不明智的,因此最好只查看docker inspect

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何以具有用户名称空间的特权用户身份运行Docker容器 - How do I run a docker container as a privileged user with user namespaces 以特权模式运行的容器 - container running in privileged mode 如何知道docker容器是否以特权模式运行 - How to know if a docker container is running in privileged mode 在Openshift中运行特权的Docker容器 - Running a privileged docker container in Openshift 如何在容器 runc 中使用 LD_PRELOAD - How to use LD_PRELOAD in container runc 在没有特权的情况下在 docker 容器中运行 Podman - Running Podman in docker container without privileged 如何确定哪个容器拥有哪个覆盖目录? - How do I identify which container owns which overlay directory? 如何在 Jenkinsfile 中停止正在运行的容器? - How do I stop a running container in Jenkinsfile? 如何按名称查找正在运行的容器? - How do I find a running container by name? 如何获取未运行容器的容器ID? - How do I get the container ID of a non-running container?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM