The tool dmidecode
relies on /dev/mem
. However, most Docker containers do not have /dev/mem
attached during container spawning. Therefore, most containers do not have /dev/mem
. The mknod
can create character special file /dev/mem
inside the container. Further more, I can dump my computer's SMBIOS into a binary file. I also just quick scan/read in google and saw that mmap
is possible between a special character file and a normal file.
Can dmidecode
inside the container be fooled in this way? I ask to more understand add context of this idea although, the core ingredients seemed to be all present.
So the question is: Can we hijack the container's /dev/mem
by feeding it with a binary dump of the host's smbios? Thank you.
It looks like I misread your question. I'm still not sure why you're looking to mmap
, though, because you can accomplish what I think you're asking without that.
That is, if I create a dump of /dev/mem
on my host:
sudo dd if=/dev/mem of=/tmp/mem.dump
Then I can bind mount that into a container:
docker run -it --rm -v /tmp/mem.dump:/dev/mem alpine sh
And run something like dmidecode
inside the container:
/ # dmidecode
# dmidecode 3.2
Scanning /dev/mem for entry point.
SMBIOS 2.7 present.
90 structures occupying 4101 bytes.
Table at 0x000EC470.
Handle 0xDA00, DMI type 218, 251 bytes
...
And in fact you can just copy the file into place:
/ # dmidecode
# dmidecode 3.2
Scanning /dev/mem for entry point.
/dev/mem: No such file or directory
/ # cp /tmp/mem.dump /dev/mem
/ # dmidecode
# dmidecode 3.2
Scanning /dev/mem for entry point.
SMBIOS 2.7 present.
90 structures occupying 4101 bytes.
Table at 0x000EC470.
Handle 0xDA00, DMI type 218, 251 bytes
...
You map devices into a container using the --device
option to docker run
. So a first stab at getting dmidecode
to work in a container would look something like:
docker run -it --rm --device /dev/mem alpine sh
But this will fail:
/ # dmidecode
# dmidecode 3.2
Scanning /dev/mem for entry point.
/dev/mem: Operation not permitted
Access to /dev/mem
is a privileged operation, and by default Docker restricts the privileges available to a container for reasons of security. You can disable those restrictions by passing the --privileged
flag:
docker run -it --rm --device /dev/mem --privileged alpine sh
With the addition of --privileged
, dmidecode
works as expected:
/ # dmidecode
# dmidecode 3.2
Getting SMBIOS data from sysfs.
SMBIOS 2.7 present.
90 structures occupying 4101 bytes.
Table at 0x000EC470.
Handle 0xDA00, DMI type 218, 251 bytes
OEM-specific Type
...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.