如何在具有附加功能的Docker容器中运行脚本(docker exec ... --cap-add ...) [英] How to run script in docker container with additional capabilities (docker exec ... --cap-add ...)

问题描述

如何在具有附加功能的docker容器中运行脚本，例如 NET_ADMIN ?

How can I run a script in a docker container with additional capabilities, such as NET_ADMIN?

我正在测试一些我想在docker映像中运行的命令，这些命令需要 NET_ADMIN 权限.例如，这有效:

I'm testing out some commands that I'd like to run in a docker image that require the NET_ADMIN permissions. For example, this works:

docker run --rm -it --cap-add 'NET_ADMIN' debian:stable-slim "iptables -L"

但是，如果我想执行脚本(通过 docker exec )，那么-cap-add 选项突然不可用.

But if I want to execute a script (via docker exec), then suddenly the --cap-add option is not available.

root@disp8686:~# cat << EOF > docker_script.sh
> apt-get update
> apt-get -y install iptables
> iptables -L
> EOF
root@disp8686:~# docker exec -it --cap-add 'NET_ADMIN' debian:stable-slim docker_script.sh
unknown flag: --cap-add
See 'docker exec --help'.
root@disp8686:~# 

为什么-cap-add 对于 docker run 存在，但 docker exec 不存在，以及如何在docker容器中运行脚本使用-cap-add 吗?

Why does --cap-add exist for docker run but not docker exec and how can I run a script in a docker container using --cap-add?

推荐答案

docker exec 不支持-cap-add 选项，但是您可以使用< docker run 的code>-volume 选项使容器上的Docker主机上的脚本可用于容器，并在容器内执行脚本，如下所示:

docker exec does not support the --cap-add option, but you can use the --volume option of docker run to make a script on the docker host available to a container and execute it inside the container as follows:

tmpDir=`mktemp -d`
pushd "${tmpDir}"

cat << EOF > docker_script.sh
apt-get update
apt-get -y install iptables
iptables -L
EOF
chmod +x docker_script.sh

sudo docker run --rm -it --cap-add 'NET_ADMIN' --volume "${tmpDir}:/root" debian:stable-slim /bin/bash -c "cd /root && ./docker_script.sh"

这是Debian 10中的示例执行:

Here is an example execution in Debian 10:

user@disp7086:~$ tmpDir=`mktemp -d`
user@disp7086:~$ pushd "${tmpDir}"
/tmp/tmp.PXmB9uJ8oM ~
user@disp7086:/tmp/tmp.PXmB9uJ8oM$ 
user@disp7086:/tmp/tmp.PXmB9uJ8oM$ cat << EOF > docker_script.sh
> apt-get update
> apt-get -y install iptables
> iptables -L
> EOF
user@disp7086:/tmp/tmp.PXmB9uJ8oM$ chmod +x docker_script.sh
user@disp7086:/tmp/tmp.PXmB9uJ8oM$ 

user@disp7086:/tmp/tmp.PXmB9uJ8oM$ sudo docker run --rm -it --cap-add 'NET_ADMIN' --volume "${tmpDir}:/root" debian:stable-slim /bin/bash -c "cd /root && ./docker_script.sh"
Get:1 http://deb.debian.org/debian stable InRelease [122 kB]
...
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
user@disp7086:/tmp/tmp.PXmB9uJ8oM$

这篇关于如何在具有附加功能的Docker容器中运行脚本(docker exec ... --cap-add ...)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！