如何禁用Docker容器的根访问权限? [英] How to disable the root access of a docker container?

问题描述

我们有一些离岸开发人员希望在本地运行我们的服务器，但是出于安全原因，我们不希望向他们提供服务器代码.因此，解决方案是他们运行Docker容器，这是我们服务器的独立版本！因此，无需进行复杂的设置！:)

We have offshore developers who would like to run our server locally but for security reasons, we do not want to give them the server code. So a solution is that they run a Docker container, which is a self-contained version of our server! So no complicated setup on their side! :)

问题在于，始终可以以root用户身份访问Docker实例的Linux shell，从而可以访问源代码.

The problem is that it is always possible to access the Linux shell of the Docker instance as root, thus giving access to the source code.

如何禁用Docker容器的root用户访问权限?或者我们如何将我们的源代码与根访问权限隔离开来?

How is it possible to disable the Docker container a root access? Or how can we isolate our source code from the root access?

推荐答案

您可以修改容器，以创建用户(例如foo)并向其分配正确的权限.然后，您可以使用参数 -u foo 在 docker run 命令上运行docker容器.例如，如果您运行: docker run --rm -ti -u foo myCustomImage sh .这将使用$而不是#打开sh shell.当然，在Dockerfile上，您必须先创建foo用户.

You can modify your container creating a user (foo for example) and assigning to him the right permissions. Then you can run the docker container on docker run command using the arguments -u foo. If you run for example: docker run --rm -ti -u foo myCustomImage sh. This will open the sh shell with the $ instead of #. Of course on your Dockerfile you must create foo user before.

如果您想要更多限制(例如禁用某些内核功能)，则从docker 1.10起可以使用seccomp安全功能.检查一下:

If you want more restrictions like for example to disable some kernel features, you have available since docker 1.10 the seccomp security feature. Check it out:

https://docs.docker.com/engine/security/seccomp/

使用此功能，您可以禁用和限制许多系统功能...以及拒绝 mkdir 命令的简单示例.创建一个这样的json文件(例如，将其命名为sec.json):

Using this you can disable and restrict a lot of system features... and easy example to deny the mkdir command. Create a json file like this (name it as sec.json for example):

{
    "defaultAction": "SCMP_ACT_ALLOW",
        "syscalls": [
                {
                    "name": "mkdir",
                    "action": "SCMP_ACT_ERRNO"
                }
            ]
}

然后运行容器，执行以下操作: docker run --rm -ti --security-opt seccomp =/path/on/host/to/sec.json ubuntu:xenial sh .您可以在容器内检查您是否无法运行 mkdir 命令.

Then run your container doing: docker run --rm -ti --security-opt seccomp=/path/on/host/to/sec.json ubuntu:xenial sh. You can check inside the container you are not able to run mkdir command.

希望这会有所帮助.

这篇关于如何禁用Docker容器的根访问权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！