谁能解释docker.sock [英] Can anyone explain docker.sock
问题描述
我正在尝试了解在 docker-compose.yml
文件中挂载 docker.sock
的实际原因。
I am trying to understand the actual reason for mounting docker.sock
in docker-compose.yml
file. Is it for auto-discovery?
volumes:
- /var/run/docker.sock:/var/run/docker.sock
推荐答案
docker.sock
是Docker守护进程正在侦听的UNIX套接字。这是Docker API的主要入口点。它也可以是TCP套接字,但是出于安全原因,默认情况下,Docker默认使用UNIX套接字。
docker.sock
is the UNIX socket that Docker daemon is listening to. It's the main entry point for Docker API. It also can be TCP socket but by default for security reasons Docker defaults to use UNIX socket.
Docker cli客户端默认使用此套接字执行docker命令。您也可以覆盖这些设置。
Docker cli client uses this socket to execute docker commands by default. You can override these settings as well.
您可能需要将Docker套接字安装在容器中的原因可能有所不同。就像从另一个容器中启动新容器一样。或用于自动服务发现和日志记录目的。这会增加攻击面,因此如果在容器中安装docker套接字时要小心,因为该容器中运行着受信任的代码,否则您可以直接破坏正在运行docker daemon的主机,因为Docker默认将所有容器作为根启动。
There might be different reasons why you may need to mount Docker socket inside a container. Like launching new containers from within another container. Or for auto service discovery and Logging purposes. This increases attack surface so you should be careful if you mount docker socket inside a container there are trusted codes running inside that container otherwise you can simply compromise your host that is running docker daemon, since Docker by default launches all containers as root.
在大多数安装中,Docker套接字都有一个docker组,因此该组中的用户可以在没有root许可的情况下针对docker socket运行docker命令,但由于docker daemon的运行方式,实际的Docker容器仍然具有root权限。 root有效(需要root权限才能访问命名空间和cgroup)。
Docker socket has a docker group in most installation so users within that group can run docker commands against docker socket without root permission but actual docker containers still get root permission since docker daemon runs as root effectively (it needs root permission to access namespace and cgroups).
我希望它能回答您的问题。
I hope it answers your question.
更多信息: https://docs.docker.com/engine/reference/命令行/ dockerd /#examples
这篇关于谁能解释docker.sock的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!