尊龙凯时人生就是搏

ÔõÑùʹÓÃDocker¾ÙÐÐÈÝÆ÷µÄÇå¾²¸ôÀëºÍȨÏÞÖÎÀí

Ëæ×ÅÈÝÆ÷»¯ÊÖÒÕµÄѸÃÍÉú³¤ £¬Çå¾²ÎÊÌâÒ²Öð½¥ÒýÆðÈËÃǵĹØ×¢¡£ÔÚÈÝÆ÷»¯°²ÅÅÇéÐÎÖÐ £¬ÈÝÆ÷µÄÇå¾²¸ôÀëºÍȨÏÞÖÎÀíÊÇÖÁ¹ØÖ÷ÒªµÄ¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃDocker¾ÙÐÐÈÝÆ÷µÄÇå¾²¸ôÀëºÍȨÏÞÖÎÀí £¬Í¬Ê±Ìṩ´úÂëʾÀýÒÔ×ÊÖú¶ÁÕ߸üºÃµØÃ÷È·¡£

Ò»¡¢Ê¹ÓÃÓû§ºÍ×é¾ÙÐÐÇå¾²¸ôÀë

ÔÚĬÈÏÇéÐÎÏ £¬DockerÔÚÈÝÆ÷ÖÐÔËÐÐʱʹÓÃrootÓû§È¨ÏÞ¡£ÈôÊDz»¼ÓÒÔÏÞÖÆ £¬ÈÝÆ÷»áÓµÓÐËÞÖ÷»úµÄËùÓÐȨÏÞ £¬ÕâÏÔÈ»ÊDz»Çå¾²µÄ¡£Òò´Ë £¬ÎªÁËʹDockerÈÝÆ÷¸üÇå¾² £¬ÎÒÃÇÐèÒªÏÞÖÆÈÝÆ÷µÄȨÏÞ¡£ÆäÖÐÒ»¸öÒªÁì¾ÍÊÇͨ¹ýÓû§ºÍ×é¾ÙÐÐÇå¾²¸ôÀë¡£

½¨ÉèÐÂÓû§ºÍ×é

Ê×ÏÈ £¬ÎÒÃÇÐèÒªÔÚDocker¾µÏñÖн¨ÉèÒ»¸öÐÂÓû§ºÍ×é £¬ÒÔÏÞÖÆÈÝÆ÷µÄȨÏÞ¡£Ê¹ÓÃÏÂÃæµÄÏÂÁîÔÚDockerfileÖн¨ÉèÐÂÓû§ºÍ×é¡£

RUN groupadd -r mygroup && useradd -r -g mygroup myuser

µÇ¼ºó¸´ÖÆ

¸ÃÏÂÁ½¨ÉèÒ»¸öÃûΪ¡°myuser¡±µÄÐÂÓû§ £¬²¢½«ÆäÌí¼Óµ½ÃûΪ¡°mygroup¡±µÄÐÂ×éÖС£Ê¹Óá°-r¡±²ÎÊý½«Óû§ºÍ×éÉèÖÃΪϵͳ¼¶±ð¡£

Çл»Óû§ºÍ×é

½¨ÉèÐÂÓû§ºÍ×éºó £¬ÎÒÃÇÐèÒªÔÚÈÝÆ÷ÖеÄÓ¦ÓóÌÐòÖÐÇл»µ½ÐÂÓû§¡£¿ÉÒÔͨ¹ýÉèÖÃENTRYPOINT»òCMDʵÏÖ¡£

USER myuser

µÇ¼ºó¸´ÖÆ

È»ºó £¬ÎÒÃÇ¿ÉÒÔÓÃÏÂÃæµÄÏÂÁîÇл»µ½ÐÂ×é¡£

RUN chgrp mygroup /path/to/file

µÇ¼ºó¸´ÖÆ

¸ÃÏÂÁ/group/to/fileÎļþµÄ×é¸ü¸ÄΪ¡°mygroup¡±¡£

¶þ¡¢Ê¹ÓÃÈÝÆ÷ÃüÃû¿Õ¼ä¾ÙÐÐÇå¾²¸ôÀë

ÈÝÆ÷ÃüÃû¿Õ¼äÊÇLinuxÄں˵ÄÒ»ÖÖ¹¦Ð§ £¬ËüÔÊÐí¶ÔÀú³ÌºÍ×ÊÔ´¾ÙÐÐÂß¼­¸ôÀ롣ͨ¹ýʹÓÃÈÝÆ÷ÃüÃû¿Õ¼ä £¬¿ÉÒÔÔÚÈÝÆ÷Ö®¼ä½¨Éè¸ôÀëµÄÔËÐÐÇéÐÎ £¬´Ó¶øÌá¸ßÈÝÆ÷µÄÇå¾²ÐÔ¡£

¸ôÀëÍøÂç

ʹÓÃÍøÂç¸ôÀë £¬¿ÉÒÔ½«ÈÝÆ÷ÓëËÞÖ÷»úºÍÆäËûÈÝÆ÷¸ôÍÑÀëÀ´¡£ÎÒÃÇ¿ÉÒÔʹÓÃÏÂÃæµÄÏÂÁÈÝÆ÷Óë˽ÓÐÍøÂç¸ôÀë¡£

docker run --net=bridge --name=mycontainer imagename

µÇ¼ºó¸´ÖÆ

¸ôÀëPID

ʹÓÃPID¸ôÀë £¬¿ÉÒÔ½«ÈÝÆ÷ÓëËÞÖ÷»úÉϵÄÆäËûÀú³Ì¸ôÍÑÀëÀ´¡£ÎÒÃÇ¿ÉÒÔʹÓÃÏÂÃæµÄÏÂÁÈÝÆ÷Óë˽ÓÐPID¸ôÀë¡£

docker run --pid=container:target_container --name=mycontainer imagename

µÇ¼ºó¸´ÖÆ

¸ôÀëUTS

ʹÓÃUTS¸ôÀë £¬¿ÉÒÔ½«ÈÝÆ÷ÓëÖ÷»ú¸ôÍÑÀëÀ´¡£Ê¹ÓÃÏÂÃæµÄÏÂÁÈÝÆ÷Óë˽ÓÐUTS¸ôÀë¡£

docker run --uts=private --name=mycontainer imagename

µÇ¼ºó¸´ÖÆ

Èý¡¢Ê¹ÓÃSeccomp¾ÙÐÐȨÏÞÖÎÀí

SeccompÊÇLinuxÄں˵ÄÒ»¸ö¹¦Ð§ £¬ÓÃÓÚÏÞÖÆÀú³Ì¶ÔϵͳŲÓõĻá¼û¡£Ê¹ÓÃSeccomp £¬¿ÉÒÔ½ç˵ÔÊÐíÀú³ÌÖ´ÐеÄϵͳŲÓà £¬´Ó¶øïÔÌ­Àú³ÌʹÓÃÌØȨÌáÉýÎó²îµÄΣº¦¡£ÔÚDockerÖÐ £¬¿ÉÒÔʹÓÃSeccompÕ½ÂÔÏÞÖÆÈÝÆ÷µÄ¹¦Ð§¡£

½¨ÉèSeccompÉèÖÃÎļþ

Ê×ÏÈ £¬ÎÒÃÇÐèÒª½¨ÉèÒ»¸öSeccompÉèÖÃÎļþ¡£¿ÉÒÔʹÓÃÒ»¸öÎı¾±à¼­Æ÷½¨ÉèÒ»¸öÃûΪ¡°seccomp.json¡±µÄÎļþ £¬²¢½ç˵ÈÝÆ÷ÔÊÐíµÄϵͳŲÓá£

{
    "defaultAction": "SCMP_ACT_ALLOW",
    "syscalls": [
        {
            "name": "write",
            "action": "SCMP_ACT_ERRNO",
            "args": [
                { "index": 0, "value": 1 },
                { "index": 1, "value": 2 }
            ]
        },
        {
            "name": "open",
            "action": "SCMP_ACT_ALLOW"
        },
        {
            "name": "close",
            "action": "SCMP_ACT_ALLOW"
        }
    ]
}

µÇ¼ºó¸´ÖÆ

ÔÚÉÏÃæµÄʾÀýÖÐ £¬¡°write¡±ºÍ¡°open¡±ÏµÍ³Å²ÓÃÔÊÐíʹÓà £¬¡°close¡±ÏµÍ³Å²Óñ»ÔÊÐí¹Ø±Õ¡£

½«SeccompÕ½ÂÔÓ¦ÓÃÓÚÈÝÆ÷

ʹÓÃÏÂÃæµÄÏÂÁSeccompÕ½ÂÔÓ¦ÓÃÓÚÈÝÆ÷¡£

docker run --security-opt seccomp=./seccomp.json --name=mycontainer imagename

µÇ¼ºó¸´ÖÆ

ÔÚ´Ë´¦ £¬ÎÒÃÇÔÚ½¨ÉèÈÝÆ÷µÄʱ¼äÖ¸¶¨ÁËseccomp.jsonÎļþ×÷ΪÈÝÆ÷µÄSeccompÕ½ÂÔÉèÖÃÎļþ¡£

×ܽá

±¾ÎÄÏÈÈÝÁËÔõÑùʹÓÃDocker¾ÙÐÐÈÝÆ÷µÄÇå¾²¸ôÀëºÍȨÏÞÖÎÀí £¬°üÀ¨Ê¹ÓÃÓû§ºÍ×顢ʹÓÃÈÝÆ÷ÃüÃû¿Õ¼äºÍʹÓÃSeccomp¡£Ëæ×ÅÈÝÆ÷»¯ÔÚδÀ´µÄÆÕ±éÓ¦Óà £¬ÈÝÆ÷µÄÇå¾²ÐÔ½«»áÒýÆðÔ½À´Ô½¶àµÄ¹Ø×¢¡£½¨Ò鿪·¢Ö°Ô±ºÍÔËάְԱÔÚÈÝÆ÷»¯°²ÅÅʱ £¬Îñ±ØÔöÇ¿¶ÔÈÝÆ÷µÄÇå¾²¸ôÀëºÍȨÏÞÖÎÀí¡£

ÒÔÉϾÍÊÇÔõÑùʹÓÃDocker¾ÙÐÐÈÝÆ÷µÄÇå¾²¸ôÀëºÍȨÏÞÖÎÀíµÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í尊龙凯时人生就是搏ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ尊龙凯时人生就是搏ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ尊龙凯时人生就是搏

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
sitemap¡¢ÍøÕ¾µØͼ