[英]How do I identify if a runc container is running as privileged?
Regardless of docker/crio/containerd starting the container, is there a way to understand if the runc container is running as privileged one?不管 docker/crio/containerd 启动容器,有没有办法了解 runc 容器是否作为特权容器运行?
docker inspect
does show privilegedness but I want to find out at the runc layer. docker inspect
确实显示了特权,但我想在 runc 层找出答案。
The state and the configuration of every runc
container may be obtained from the $ROOT_DIR/$CONTAINER_ID/state.json
file, where $ROOT_DIR
is a root directory for a group of containers (usually managed by a specific higher-level runtime like Docker). state 和每个
runc
容器的配置可以从$ROOT_DIR/$CONTAINER_ID/state.json
文件中获取,其中$ROOT_DIR
是一组容器的根目录(通常由特定的更高级别的运行时管理,如 Docker) . For example, on my machine Docker uses the root dir /run/docker/runtime-runc/moby
, thus, I can find the runc
-level configuration of some container as follows:例如,在我的机器上 Docker 使用根目录
/run/docker/runtime-runc/moby
,因此,我可以找到一些容器的runc
级配置,如下所示:
# jq .config /run/docker/runtime-runc/moby/$CONTAINER_ID/state.json
{
"no_pivot_root": false,
"parent_death_signal": 0,
"rootfs": "/var/lib/docker/overlay2/<CONTAINER_ID>/merged",
"readonlyfs": false,
...
}
You can easily find out that this file does not contain fields like privileged
.您可以很容易地发现该文件不包含
privileged
之类的字段。 A quick search through runc
source code shows that it does not have a notion of a privileged container, ie this is an abstraction from the higher levels.对
runc
源代码的快速搜索表明它没有特权容器的概念,即这是来自更高级别的抽象。 This means, in turn, that there is no simple way to determine, whether the container was started as a privileged one or not, from the runc
level.反过来,这意味着没有简单的方法可以从
runc
级别确定容器是否作为特权容器启动。
However, it is still possible to say whether the container has the same privileges as those which are granted by --privileged
argument at the Docker level: the state.json
file contains a list of capabilities, granted to the container;但是,仍然可以说容器是否具有与
--privileged
参数在 Docker 级别授予的权限相同的权限: state.json
文件包含授予容器的功能列表a list of device nodes, available to the container;容器可用的设备节点列表; seccomp mode and so on.
seccomp 模式等。 From practical standpoint, it is unwise to waste your time on checking all these settings, so it is better just to look at
docker inspect
.从实际的角度来看,浪费时间检查所有这些设置是不明智的,因此最好只查看
docker inspect
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.