Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

从零开始运行Docker容器 #66

Open
gemfield opened this issue Dec 8, 2024 · 1 comment
Open

从零开始运行Docker容器 #66

gemfield opened this issue Dec 8, 2024 · 1 comment

Comments

@gemfield
Copy link
Contributor

gemfield commented Dec 8, 2024

安装Docker

以Ubuntu为例:

1,设置apt 仓库

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

2,安装

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

3,检查安装是否成功

sudo docker run hello-world
@gemfield
Copy link
Contributor Author

gemfield commented Dec 8, 2024

权限

  • --cap-add 增加Linux权限
  • --cap-drop 去除Linux权限
  • --privileged 扩展更多的权限给容器,加上该参数的情况下,在容器里可以访问宿主机上所有的设备;
  • --device=[] 在没有--privileged参数的情况下,允许容器访问特定的设备

更具体来说,--privileged 参数会赋予容器下述的所有权限:

  • Enables all Linux kernel capabilities
  • Disables the default seccomp profile
  • Disables the default AppArmor profile
  • Disables the SELinux process label
  • Grants access to all host devices
  • Makes /sys read-write
  • Makes cgroups mounts read-write

如果不使用--privileged这个核武器级别的参数,取而代之我们可以使用--cap-add去微调权限。但是在了解可以增加哪些权限之前,我们需要知道,容器运行起来后默认就带的权限,如下所示:

  • AUDIT_WRITE Write records to kernel auditing log.
  • CHOWN Make arbitrary changes to file UIDs and GIDs
  • DAC_OVERRIDE Bypass file read, write, and execute permission checks.
  • FOWNER Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.
  • FSETID Don't clear set-user-ID and set-group-ID permission bits when a file is modified.
  • KILL Bypass permission checks for sending signals.
  • MKNOD Create special files using mknod(2).
  • NET_BIND_SERVICE Bind a socket to internet domain privileged ports (port numbers less than 1024).
  • NET_RAW Use RAW and PACKET sockets.
  • SETFCAP Set file capabilities.
  • SETGID Make arbitrary manipulations of process GIDs and supplementary GID list.
  • SETPCAP Modify process capabilities.
  • SETUID Make arbitrary manipulations of process UIDs.
  • SYS_CHROOT Use chroot(2), change root directory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gemfield