通过mitmproxy运行码头容器 [英] Running docker container through mitmproxy
问题描述
有关我如何能够做到这一点的任何想法?此外,我想避免在特权模式下运行两个Docker容器之一。
授予容器的默认功能集不允许容器修改网络设置。通过以特权模式运行,您将所有功能授予容器 - 但是还可以根据需要授予各个功能。在这种情况下,您需要的名称为CAP_NET_ADMIN(完整列表: http: //man7.org/linux/man-pages/man7/capabilities.7.html ),因此您可以将 - cap-add NET_ADMIN 添加到您的docker运行命令。
确保在启动两个容器时使用该选项,因为它们都需要进行一些网络调整才能启用透明数据包拦截。
在代理容器中,根据mitmproxy透明模式指令配置iptables预路由NAT规则,然后启动mitmproxy(与 -T 标志启用透明模式)。我使用一个小的启动脚本作为代理映像的入口点,因为网络设置更改仅在容器运行时发生,不能在Dockerfile中指定或以其他方式持续存在。
客户端容器,只需使用 ip route 命令将默认网关更改为docker桥上的代理容器的IP地址。如果这是一个设置,您将定期重复,请考虑在客户端映像上使用entrypoint脚本,以便在容器启动时自动设置此脚本。容器链接更容易:您可以启动代理容器,并在启动客户端容器时将其链接起来。然后,客户端entrypoint脚本可以通过环境变量访问代理容器的IP。
顺便说一句,如果您可以在不透明模式下使用mitmproxy,明确配置客户端使用HTTP代理),我强烈推荐它。不要急于设置。
祝你好运,玩得开心!
I'm trying to route all traffic of a docker container through mitmproxy running on another docker container. In order for mitmproxy to work, I have to change the gateway IP that the original docker container. Here is an example of what I want to do but I want to restrict this to be entirely inside docker containers: http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/
Any thoughts on how I might be able to do this? Also, I want to avoid running either of the two docker containers in privileged mode.
The default capability set granted to containers does not allow a container to modify network settings. By running in privileged mode, you grant all capabilities to the container -- but there is also an option to grant individual capabilities as needed. In this case the one you require is called CAP_NET_ADMIN (full list here: http://man7.org/linux/man-pages/man7/capabilities.7.html), so you could add --cap-add NET_ADMIN to your docker run command.
Make sure to use that option when starting both containers, since they both require some network adjustments to enable transparent packet interception.
In the "proxy" container, configure the iptables pre-routing NAT rule according to the mitmproxy transparent mode instructions, then start mitmproxy (with the -T flag to enable transparent mode). I use a small start script as the proxy image's entrypoint for this, since network settings changes occur at container runtime only and cannot be specified in a Dockerfile or otherwise persisted.
In the "client" container, just use ip route commands to change the default gateway to the proxy container's IP address on the docker bridge. If this is a setup you'll be repeating regularly, consider using an entrypoint script on the client image that will set this up for you automatically when the container starts. Container linking makes that easier: you can start the proxy container, and link it when starting the client container. Then the client entrypoint script has access to the proxy container's IP via an environment variable.
By the way, if you can get away with using mitmproxy in non-transparent mode (configure the client explicitly to use an HTTP proxy), I'd highly recommend it. It's much less of a headache to set up.
Good luck, have fun!
这篇关于通过mitmproxy运行码头容器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
