简体繁体 English

如何限制 docker.network 的使用？

[英]How to limit docker network usage?

原文 2020-10-07 11:04:37 4 2 docker/ docker-networking

I am looking for a way to limit the access of "host" as.network for running a Docker image.我正在寻找一种方法来限制“主机”as.network 的访问以运行 Docker 图像。 I have been searching for a couple of days but could not find a solution.我一直在寻找几天，但找不到解决方案。 Is there a way to limit the.network access for the Docker users?有没有办法限制 Docker 用户的网络访问？

eg deleting the host option and always using bridge as.network so when you call sudo docker.network ls the outputs would only be bridge and none例如删除主机选项并始终使用 bridge as.network 所以当你调用sudo docker.network ls时输出只会是 bridge 而不是

Or any other way for preventing using host.或任何其他防止使用主机的方法。

2 个解决方案

In general, if you can run any docker command at all, you have unlimited access to everything Docker can do, and through that, unlimited root-level access to the host system.一般来说，如果你可以运行任何docker命令，你就可以无限制地访问 Docker 可以做的一切，并且通过它，可以无限制地访问主机系统的根级别。 There is no (built-in) way to limit Docker functionality or prevent specific docker run options.没有（内置）方法来限制 Docker 功能或阻止特定docker run选项。

In principle it would be possible to write some sort of HTTP proxy that passed through the Docker HTTP API but restricted certain options (for example, returned an HTTP 401 status code with a correctly-formatted JSON error if a "create a container" HTTP POST request included a disallowed NetworkMode value). In principle it would be possible to write some sort of HTTP proxy that passed through the Docker HTTP API but restricted certain options (for example, returned an HTTP 401 status code with a correctly-formatted JSON error if a "create a container" HTTP POST请求包含不允许的NetworkMode值）。 Implementing that would be a substantial project in itself and beyond the scope of a Stack Overflow answer.实施这本身就是一个重要的项目，并且超出了 Stack Overflow 答案的 scope。

So I found a solution (an alternative) to my question I thought it might help other people with the same issue.所以我找到了我的问题的解决方案（替代方案），我认为它可能会帮助其他人解决同样的问题。 If you are trying to use docker on a public server and you don not want to give people the possibility to use the.network hosting (it is basically the same as being the root user) you can use "Singularity".如果您尝试在公共服务器上使用 docker 并且您不想让人们有可能使用 .network 托管（它基本上与根用户相同），您可以使用“Singularity”。 I have tried it and it works like a charm.我试过了，效果很好。 The only thing that takes time is that you can not build your docker files in the singularity environment so you have to build them locally, push them to your docker-repo and pull them through your singularity environment on the server.唯一需要时间的是你不能在奇点环境中构建你的 docker 文件，所以你必须在本地构建它们，将它们推送到你的 docker-repo 并通过服务器上的奇点环境拉取它们。 It might help sys-admins who want to keep the privacy of the server while giving people the flexibility of working with docker.它可能会帮助希望保持服务器隐私的系统管理员，同时让人们可以灵活地使用 docker。