[英]Running tcpdump inside a Docker container as non-root user
I want to build a Docker image containing tcpdump.我想构建一个包含 tcpdump 的 Docker 图像。 That Docker image runs an application that needs to call tcpdump, but it should not run as
root
all the time, for obvious security reasons.那个 Docker 图像运行一个需要调用 tcpdump 的应用程序,但出于明显的安全原因,它不应该一直以
root
身份运行。 Instead, the non-root user should be able to run tcpdump directly.相反,非 root 用户应该能够直接运行 tcpdump。
Assuming the following Dockerfile:假设以下 Dockerfile:
FROM debian:bullseye
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update -qq \
&& apt-get install -y \
libcap2 \
libcap2-bin \
tcpdump \
&& apt-get clean -y && apt-get autoremove -y \
&& rm -rf /var/lib/apt/lists/*
RUN addgroup --system --gid 1001 user
RUN adduser --system --uid 1001 user --shell /bin/bash
RUN groupadd pcap && usermod -a -G pcap user \
&& chgrp pcap /usr/bin/tcpdump \
&& chmod 750 /usr/bin/tcpdump \
&& setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
USER user
ENTRYPOINT ["/usr/bin/tcpdump"]
When I run the image:当我运行图像时:
docker build -t tcpdump:latest .
docker run --rm -it tcpdump
… it fails with: ......它失败了:
exec /usr/bin/tcpdump: operation not permitted
exec /usr/bin/tcpdump: 不允许操作
Someone else has raised this issue here but without a response.其他人在这里提出了这个问题,但没有得到回应。
What can I do to make this work?我该怎么做才能完成这项工作?
Note that in regular installations it is not recommended to modify the permissions and group ownership of /usr/bin/tcpdump
, as that could be overwritten by system package upgrades.请注意,在常规安装中,不建议修改
/usr/bin/tcpdump
的权限和组所有权,因为这可能会被系统 package 升级覆盖。 However, since the container image is immutable, this does not apply here.但是,由于容器镜像是不可变的,所以这里不适用。
The problem is that the Docker container itself is missing the required capabilities to run tcpdump
.问题是 Docker 容器本身缺少运行
tcpdump
所需的功能。
You can add those capabilities by adding the --privileged
option to the docker run
command, or, even better, only add the capabilities strictly needed:您可以通过将
--privileged
选项添加到docker run
命令来添加这些功能,或者更好的是,只添加严格需要的功能:
$ docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW -it tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C12:47:29.433403 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
1 packet captured
6 packets received by filter
0 packets dropped by kernel
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.