一个泊坞窗用户可以向另一个隐藏数据吗? [英] Can one docker user hide data from another?

问题描述

Alice和Bob都是同一主机上的docker组的成员.爱丽丝想在Docker容器中运行一些长期运行的计算，然后将结果复制到她的主文件夹中.鲍勃非常爱管闲事，爱丽丝不希望他能够读取她的计算所使用的数据.

Alice and Bob are both members of the docker group on the same host. Alice wants to run some long-running calculations in a docker container, then copy the results to her home folder. Bob is very nosy, and Alice doesn't want him to be able to read the data that her calculation is using.

系统管理员可以采取什么措施使Bob离开Alice的Docker容器?

Is there anything that the system administrator can do to keep Bob out of Alice's docker containers?

这就是我认为Alice应该基于命名卷和 docker cp命令在此问题和此问题中进行了描述一个.

Here's how I think Alice should get data in and out of her container, based on named volumes and the docker cp command, as described in this question and this one.

$ pwd
/home/alice
$ date > input1.txt
$ docker volume create sandbox1
sandbox1
$ docker run --name run1 -v sandbox1:/data alpine echo OK
OK
$ docker cp input1.txt run1:/data/input1.txt
$ docker run --rm -v sandbox1:/data alpine sh -c "cp /data/input1.txt /data/output1.txt && date >> /data/output1.txt"
$ docker cp run1:/data/output1.txt output1.txt
$ cat output1.txt
Thu Oct  5 16:35:30 PDT 2017
Thu Oct  5 23:36:32 UTC 2017
$ docker container rm run1
run1
$ docker volume rm sandbox1
sandbox1
$ 

我创建一个输入文件input1.txt和一个命名卷sandbox1.然后，我启动一个名为run1的容器，以便可以将文件复制到指定的卷中.该容器仅显示确定"消息并退出.我复制输入文件，然后运行主要计算.在此示例中，它将输入复制到输出，并向其添加第二个时间戳.

I create an input file, input1.txt and a named volume, sandbox1. Then I start a container named run1 just so I can copy files into the named volume. That container just prints an "OK" message and quits. I copy the input file, then run the main calculation. In this example, it copies the input to the output and adds a second timestamp to it.

计算完成后，我复制输出文件，然后删除容器和命名的卷.

After the calculation finishes, I copy the output file, then remove the container and the named volume.

有什么方法可以阻止Bob装载自己的容器，该容器装载命名卷并向其显示Alice的数据?我已将Docker设置为使用用户命名空间，因此Alice和Bob没有对主机的root访问权，但是我看不到如何使Alice和Bob使用不同的用户名称空间.

Is there any way to stop Bob from loading his own container that mounts the named volume and shows him Alice's data? I've set up Docker to use a user namespace, so Alice and Bob don't have root access to the host, but I can't see how to make Alice and Bob use different user namespaces.

推荐答案

通过在docker组中，已向爱丽丝和鲍勃授予了对主机的虚拟根访问权限.

Alice and Bob have been granted virtual root access to the host by being in the docker group.

docker组通过套接字文件授予他们对Docker API的访问权限. Docker中目前没有设施来区分Docker API的用户. Docker守护程序以root身份运行，并且借助Docker API的允许，Alice和Bob将能够解决您尝试设置的所有障碍.

The docker group grants them access to the Docker API via a socket file. There is no facility in Docker at the moment to differentiate between users of the Docker API. The Docker daemon runs as root and by virtue of what the Docker API allows, Alice and Bob will be able to work around any barriers that you did try to put in place.

使用用户名称空间隔离会阻止用户在容器内部以特权或其他用户身份脱离容器，因此实际上该容器进程现在以非特权用户身份运行.

The use of the user namespace isolation stops users inside a container breaking out of a container as a privileged or different user, so in effect the container process is now running as an unprivileged user.

一个例子是

• 爱丽丝被ssh授予对在namespace_a中运行的容器A的访问权限.
• Bob被授予ssh对namespace_b中的容器B的访问权限.

由于用户现在仅位于容器内，因此他们将无法修改主机上的其他文件.假设两个容器都映射到相同的主机卷，则没有世界范围的读/写/执行的文件对于彼此而言是安全的.由于他们无法控制守护程序，因此他们无能为力.

Because the users are now only inside the container, they won't be able to modify each others files on the host. Say if both containers mapped the same host volume, files without world read/write/execute will be safe from each others containers. As they have no control over the daemon, they can't do anything to break out.

名称空间无法保护Docker守护程序和API本身，但它仍然是一个特权进程.解决用户名空间的第一种方法是在命令行上设置主机名称空间:

The namespace doesn't secure the Docker daemon and API itself, which is still a privileged process. The first way around a user name space is setting the host namespace on the command line:

docker run --privileged --userns=host busybox fdisk -l

docker exec，docker cp和docker export命令将向有权访问Docker API的用户提供任何已创建容器的内容.

The docker exec, docker cp and docker export commands will give someone with access to the Docker API the contents of any created containers.

可以限制对API的访问，但是docker组中不能具有具有shell访问权限的用户.

It is possible to restrict access to the API but you can't have users with shell access in the docker group.

通过sudo允许使用一组有限的docker命令，或提供sudo访问对硬编码docker参数的脚本的访问权限:

Allowing a limited set of docker commands via sudo or providing sudo access to scripts that hard code the docker parameters:

#!/bin/sh
docker run --userns=whom image command

对于自动化系统，可以通过附加的shim API提供访问，该shim API在Docker API之前具有适当的访问控制，然后将受控"请求传递给Docker. dockerode 或

For automated systems, access can be provided via an additional shim API with appropriate access controls in front of the Docker API that then passes on the "controlled" request to Docker. dockerode or docker-py can be easily plugged into a REST service and interface with Docker.

这篇关于一个泊坞窗用户可以向另一个隐藏数据吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！