Docker容器资源控制与安全强化
1. 用户命名空间与文件系统访问
首先,我们来检查主机上dockremap用户的用户和组 ID,然后创建一个由重映射的容器 UID 0(对应主机 UID 5000)拥有的共享目录。
# id dockremap uid=997(dockremap) gid=993(dockremap) groups=993(dockremap) # cat /etc/subuid dockremap:5000:10000 # cat /etc/subgid dockremap:5000:10000 # mkdir /tmp/shared # chown -R 5000:5000 /tmp/shared接着,以容器的根用户身份运行一个容器:
# docker run -it --rm --user root -v /tmp/shared:/shared -v /:/host alpine ash / # touch /host/afile touch: /host/afile: Permission denied / # echo "hello from $(id) in $(hostname)" >> /shared/afile / # exit # back in the host shell # ls -la /tmp/shared/afile -rw-r--r--. 1
