谁能解释 docker.sock [英] Can anyone explain docker.sock
问题描述
我试图了解在 docker-compose.yml
文件中安装 docker.sock
的实际原因.是否用于自动发现?
卷:-/var/run/docker.sock:/var/run/docker.sock
docker.sock
是 Docker 守护程序正在侦听的 UNIX 套接字.它是 Docker API 的主要入口点.它也可以是 TCP 套接字,但出于安全原因,Docker 默认使用 UNIX 套接字.
Docker cli 客户端默认使用这个套接字来执行 docker 命令.您也可以覆盖这些设置.
您可能需要在容器内挂载 Docker 套接字的原因可能不同.就像从另一个容器中启动新容器一样.或者用于自动服务发现和日志记录目的.这会增加攻击面,因此如果您在容器内安装 docker socket 时应该小心,该容器内运行着受信任的代码,否则您可以简单地危害运行 docker daemon 的主机,因为默认情况下 Docker 以 root 身份启动所有容器.>
Docker 套接字在大多数安装中都有一个 docker 组,因此该组中的用户可以在没有 root 权限的情况下对 docker socket 运行 docker 命令,但实际的 docker 容器仍然获得 root 权限,因为 docker 守护进程以 root 有效运行(它需要 root 权限才能访问命名空间和 cgroups).
希望它能回答您的问题.
更多信息:https://docs.docker.com/engine/参考/命令行/dockerd/#examples
I am trying to understand the actual reason for mounting docker.sock
in docker-compose.yml
file. Is it for auto-discovery?
volumes:
- /var/run/docker.sock:/var/run/docker.sock
docker.sock
is the UNIX socket that Docker daemon is listening to. It's the main entry point for Docker API. It also can be TCP socket but by default for security reasons Docker defaults to use UNIX socket.
Docker cli client uses this socket to execute docker commands by default. You can override these settings as well.
There might be different reasons why you may need to mount Docker socket inside a container. Like launching new containers from within another container. Or for auto service discovery and Logging purposes. This increases attack surface so you should be careful if you mount docker socket inside a container there are trusted codes running inside that container otherwise you can simply compromise your host that is running docker daemon, since Docker by default launches all containers as root.
Docker socket has a docker group in most installation so users within that group can run docker commands against docker socket without root permission but actual docker containers still get root permission since docker daemon runs as root effectively (it needs root permission to access namespace and cgroups).
I hope it answers your question.
More info: https://docs.docker.com/engine/reference/commandline/dockerd/#examples
这篇关于谁能解释 docker.sock的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!