[英]Unable to execute binary file in Docker container (“Operation not permitted”)
我正在構建一個Docker容器(基於RHEL),該容器包含來自第三方存儲庫的自定義二進制文件。 在容器中執行二進制文件時,我收到一個Operation not permitted
描述的錯誤:“ Operation not permitted
”。
Dockerfile非常簡單。
FROM dockerregistry.example.com/rhel7:latest
RUN yum -y install \
curl \
custom-package && \
curl -Lsq https://github.com/Yelp/dumb-init/releases/download/v1.2.0/dumb-init_1.2.0_amd64 > /sbin/dumb-init && \
chmod 755 /sbin/dumb-init && \
yum clean all
ADD custom-package.conf /etc/custom-package/custom-package.conf
ENTRYPOINT ["/sbin/dumb-init", "--"]
CMD ["/usr/local/custom-package/bin/custom-package", "--config", "/etc/custom-package/custom-package.conf"]
我使用以下命令在工作站上構建並輸入容器。
$ docker build -t custom-package:v1 .
$ docker run --security-opt seccomp:unconfined -d custom-package:v1 tail -f /dev/null
$ docker exec -it <image ID> /bin/bash
進入圖像后,如果嘗試執行二進制文件,則會收到極其無用的錯誤。 運行strace
也會產生令人困惑的輸出。 在檢查文件權限和元數據時,看起來不錯。
# /usr/local/telegraf/bin/telegraf
bash: /usr/local/telegraf/bin/telegraf: Operation not permitted
# strace -f /usr/local/telegraf/bin/telegraf
execve("/usr/local/telegraf/bin/telegraf", ["/usr/local/telegraf/bin/telegraf"], [/* 17 vars */]) = -1 EPERM (Operation not permitted)
write(2, "strace: exec: Operation not perm"..., 38strace: exec: Operation not permitted
) = 38
exit_group(1) = ?
+++ exited with 1 +++
# ls -l /usr/local/telegraf/bin/telegraf
-rwxr-xr-x 1 telegraf telegraf 38664736 Jun 3 15:41 /usr/local/telegraf/bin/telegraf
# getcap -v /usr/local/telegraf/bin/telegraf
/usr/local/telegraf/bin/telegraf = cap_sys_rawio+ep
我無法收集足夠的信息來調試我的容器,以及為什么可執行二進制文件不起作用。 是否有什么地方出了錯,或者是為什么我會收到這樣的無用錯誤?
謝謝!
SYS_RAWIO功能需要--privileged
選項才能訪問設備。 參見功能(7)。
http://man7.org/linux/man-pages/man7/capabilities.7.html
CAP_SYS_RAWIO
* Perform I/O port operations (iopl(2) and ioperm(2));
* access /proc/kcore;
* employ the FIBMAP ioctl(2) operation;
* open devices for accessing x86 model-specific registers (MSRs, see msr(4))
* update /proc/sys/vm/mmap_min_addr;
* create memory mappings at addresses below the value specified by /proc/sys/vm/mmap_min_addr;
* map files in /proc/bus/pci;
* open /dev/mem and /dev/kmem;
* perform various SCSI device commands;
* perform certain operations on hpsa(4) and cciss(4) devices;
* perform a range of device-specific operations on other devices.
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.