在 Ubuntu Docker 容器中运行的进程可以与主机的内核进程通信吗
[英]Can a process running inside Ubuntu Docker container communicate with Kernel process of host
问题描述
I have a process running inside the Docker container (base image - Ubuntu 18.04).
我有一个在 Docker 容器内运行的进程(基本映像 - Ubuntu 18.04)。 Is it possible to set up a Netlink socket with the Kernel process of the Host (running Ubuntu 18.04)?是否可以使用主机的内核进程(运行 Ubuntu 18.04)设置 Netlink 套接字? What are the ways to achieve this?有什么方法可以实现这一目标?
Docker Client: Version: 20.10.7 Docker 客户端:版本:20.10.7
Docker Server: Version: 20.10.7 Docker 服务器:版本:20.10.7
1 个解决方案
解决方案1
0 2022-05-26 10:33:35
Can a process running inside Ubuntu Docker container communicate with Kernel process of host
Yes.是的。 This happens all the time: all sorts of things like file and network I/O and memory allocation interact with the kernel ("syscalls"), and in Docker the kernel is always the host's kernel (on a native-Linux host).这种情况一直在发生:文件和网络 I/O 以及内存分配等各种事情都与内核交互(“系统调用”),而在 Docker 中,内核始终是主机的内核(在本机 Linux 主机上)。
Is it possible to set up a Netlink socket
Probably not.可能不是。 The Docker environment heavily manages the container's network environment and by default disables most direct management of it (via Linux capabilities ). Docker 环境对容器的网络环境进行大量管理,默认情况下禁用对它的最直接管理(通过Linux 功能)。 At least some netlink calls require CAP_NET_ADMIN which your container won't normally have.至少一些 netlink 调用需要CAP_NET_ADMIN ,而您的容器通常不会有。
In principle it's possible to grant your container additional capabilities , for example with docker run --cap-add=NET_ADMIN .原则上,可以授予容器额外的功能,例如使用docker run --cap-add=NET_ADMIN 。 But if you start disabling Docker features like this, and specifically interacting with the kernel is important to you, you might find it more straightforward to run the process directly on the host, rather than isolating it in a container and then attempting to disable the isolation.但是如果你开始禁用像这样的 Docker 功能,并且特别是与内核交互对你来说很重要,你可能会发现直接在主机上运行进程更直接,而不是在容器中隔离它然后尝试禁用隔离.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.