如何在没有root用户的情况下连接到远程docker守护程序? [英] How do I connect to a remote docker daemon without being root?
问题描述
我有一台运行docker daemon的服务器,暴露了端口2375(是的,这很顽皮,但是我正在寻找在做正确的事情之前可以进行最简单的设置的工作)。
I have a server running the docker daemon exposing port 2375 (yes, this is naughty, but I'm looking at getting the simplest set-up working before doing things properly).
我可以以root用户身份连接到远程服务器:
I can connect to the remote server as root:
➜ ~ export DOCKER_HOST=72.333.194.99:2375
➜ ~ docker ps
Cannot connect to the Docker daemon at tcp://72.333.194.99:2375. Is the docker daemon running?
➜ ~ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
➜ ~
为简便起见,上面的示例可以使用本地源文件在远程服务器上构建映像并运行容器。
The above example is for brevity, I can build images and run containers on my remote server using local source files.
我该怎么做?
我已经在服务器上设置了docker组,因此当我在服务器中时,无需使用sudo。我的服务器上有一个名为'root'的用户。
I have set up the docker group on my server, so when I'm in the server I do not need to be sudo. I have a single user on my server with the name 'root'.
推荐答案
我有一个运行docker daemon的服务器暴露2375端口(是的,这很顽皮,但是我正在寻找在做正确的事情之前能进行最简单设置的工作)。
I have a server running the docker daemon exposing port 2375 (yes, this is naughty, but I'm looking at getting the simplest set-up working before doing things properly).
这不是顽皮的,很危险。这意味着您可以通过众所周知的协议扫描主机根远程外壳,并且无需密码即可对主机进行未经加密的访问,而无需输入密码。如果您实际上是这样设置的,那么很可能在您阅读此答案时,您的服务器已经被黑,因此您应该重新安装整个操作系统以确保安全。
This isn't naughty, it's dangerous. It means you have remote root shell access to your host, unencrypted, without a password, on a well known and scanned for protocol. If you've actually set this up like this, then most likely by the time you're reading this answer your server has already been hacked and you should reinstall your entire OS to be safe.
我可以以root用户身份连接到远程服务器:
I can connect to the remote server as root:
➜ ~ export DOCKER_HOST=72.333.194.99:2375
➜ ~ docker ps
Cannot connect to the Docker daemon at tcp://72.333.194.99:2375. Is the docker daemon running?
➜ ~ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
➜ ~
您未在任何docker命令中连接到远程服务器。首先,您没有提供有效的IP地址。 333超出有效范围。第二个sudo命令在具有不同环境的root shell中运行,因此您很有可能在该命令中看到了本地docker安装。您可以运行 sudo docker info 来查看此内容。
You have not connected to the remote server in either docker command. First, you did not give a valid IP address. 333 is outside of the valid range. And the second sudo command runs in a root shell, with a different environment, so it is most likely your local docker install that you saw with that command. You can run sudo docker info to see this.
如何连接到
How do I connect to a remote docker daemon without being root?
Docker是一个客户端/服务器应用程序。通过TCP连接时,远程服务器不知道您的本地用户ID,因此从等式中消除它。您需要在本地具有root用户访问权限或成为docker组成员的原因是因为docker使用这些权限锁定了对 /var/run/docker.sock 的访问权限。如果尚未配置远程服务器(希望)在网络上侦听,则可以按照以下过程为服务器和客户端配置具有TLS密钥的私有CA:
Docker is a client/server application. The remote server does not know your local user id when connecting over TCP, so eliminate that from the equation. The reason you need to have root access locally, or be a member of the docker group, is because docker locks down access to /var/run/docker.sock with those permissions. If you have not configured the remote server to listen on the network (hopefully), then you can follow this procedure to configure a private CA with TLS keys for the server and client:
https://docs.docker.com/engine/security/https/
如果您不遵循这些说明,而只公开了没有TLS的套接字,或者未配置客户端和服务器的双向TLS身份验证,那么您实际上就有了无需密码即可远程登录到服务器的根,所以请务必遵循所有步骤。
If you deviate from these instructions, and simply expose the socket without TLS, or do not configure mutual TLS authentication of both the client and the server, then you effectively have a remote root login to the server without a password, so do take care to follow all of the steps.
如果不想配置双向TLS,目前处于beta版本18.09,可以选择通过ssh连接到远程docker服务器: https://blog.docker.com/2018/09/join-the-beta-for-docker-engine-18-09/
If you do not want to configure mutual TLS, 18.09 is currently in beta with the option to connect to a remote docker server over ssh: https://blog.docker.com/2018/09/join-the-beta-for-docker-engine-18-09/
$ docker -H ssh://me@example.com info
或
$ export DOCKER_HOST=ssh://me@example.com
$ docker info
这篇关于如何在没有root用户的情况下连接到远程docker守护程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
