堆栈内存溢出
  简体   繁体   English

以非 root 用户身份在 Docker 容器内运行 tcpdump

[英]Running tcpdump inside a Docker container as non-root user

 原文  2022-11-14 12:48:40       linux/ docker/ tcpdump

问题描述

I want to build a Docker image containing tcpdump.我想构建一个包含 tcpdump 的 Docker 图像。 That Docker image runs an application that needs to call tcpdump, but it should not run as root all the time, for obvious security reasons.那个 Docker 图像运行一个需要调用 tcpdump 的应用程序,但出于明显的安全原因,它不应该一直以root身份运行。 Instead, the non-root user should be able to run tcpdump directly.相反,非 root 用户应该能够直接运行 tcpdump。

Assuming the following Dockerfile:假设以下 Dockerfile:

FROM debian:bullseye

ENV DEBIAN_FRONTEND noninteractive

RUN apt-get update -qq \
  && apt-get install -y \
  libcap2 \
  libcap2-bin \
  tcpdump \
  && apt-get clean -y && apt-get autoremove -y \
  && rm -rf /var/lib/apt/lists/*

RUN addgroup --system --gid 1001 user
RUN adduser --system --uid 1001 user --shell /bin/bash

RUN groupadd pcap && usermod -a -G pcap user \
  && chgrp pcap /usr/bin/tcpdump \
  && chmod 750 /usr/bin/tcpdump \
  && setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump

USER user

ENTRYPOINT ["/usr/bin/tcpdump"]

When I run the image:当我运行图像时:

docker build -t tcpdump:latest .
docker run --rm -it tcpdump

… it fails with: ......它失败了:

exec /usr/bin/tcpdump: operation not permitted exec /usr/bin/tcpdump: 不允许操作

Someone else has raised this issue here but without a response.其他人在这里提出了这个问题,但没有得到回应。

What can I do to make this work?我该怎么做才能完成这项工作?

Note that in regular installations it is not recommended to modify the permissions and group ownership of /usr/bin/tcpdump , as that could be overwritten by system package upgrades.请注意,在常规安装中,不建议修改/usr/bin/tcpdump的权限和组所有权,因为这可能会被系统 package 升级覆盖。 However, since the container image is immutable, this does not apply here.但是,由于容器镜像是不可变的,所以这里不适用。

1 个解决方案

解决方案1
 1 已采纳  2022-11-14 12:48:40

The problem is that the Docker container itself is missing the required capabilities to run tcpdump .问题是 Docker 容器本身缺少运行tcpdump 所需的功能

You can add those capabilities by adding the --privileged option to the docker run command, or, even better, only add the capabilities strictly needed:您可以通过将--privileged选项添加到docker run命令来添加这些功能,或者更好的是,只添加严格需要的功能:

$ docker run --rm --cap-add=NET_ADMIN --cap-add=NET_RAW  -it tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^C12:47:29.433403 IP6 :: > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28

1 packet captured
6 packets received by filter
0 packets dropped by kernel

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在 Ubuntu Docker 容器内运行非 root Docker - Running non-root Docker within Ubuntu Docker container 在Docker上以非root用户身份运行JAR时出现权限错误 - Permission error running a JAR as non-root user on Docker 将 Docker 镜像中的用户切换为非 root 用户 - Switching users inside Docker image to a non-root user 你能否以root身份在Docker容器内启动进程,而exec调用的默认用户是非root用户? - Can you start a process inside a Docker container as root, while having the default user of an exec call be non-root? 如何以非root用户身份运行Docker容器以及如何与他人共享Docker映像? - How to run docker container as non-root user and how to share the docker image to others? 在Docker容器中以非root身份运行nginx会给出权限被拒绝错误 - Running nginx as non-root in Docker container gives permission denied error 以非root用户身份启动容器与以root用户身份启动然后降级为非root用户身份 - Starting container as a non-root user vs starting as root and then downgrade to non-root 在 Cirrus/Kubernetes 环境中以特定的非 root 用户身份运行 Docker 容器 - Run Docker container in Cirrus/Kubernetes environment as specific non-root user 允许容器的非根用户执行需要功能的二进制文件 - Allow non-root user of container to execute binaries that need capabilities 让非root用户写入Docker中的linux主机 - Let non-root user write to linux host in Docker
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM