При подключении к работающему контейнеру docker в качестве root по-прежнему отображается ошибка Операция не разрешена при попытке apt-get update, но я все еще вижу чувствительный файл, такой как /etc/passwd. Ниже приведены мои настройки, а также сообщение об ошибке от apt-get update. Моя операционная система хоста Ubuntu 18.04.3. Моя docker версия Docker version 19.03.5, build 633a0ea838
Я создаю контейнер со следующим Dockerfile
FROM python:3.8-slim-buster
RUN useradd -ms /bin/bash andrej
WORKDIR /home/andrej
COPY . /home/andrej/
RUN apt-get update && \
apt-get install -y gcc && \
pip install -r requirements.txt && \
apt-get remove -y gcc && apt-get -y autoremove
RUN chown andrej:andrej pycurl && \
chmod 0744 pycurl
USER andrej
ENTRYPOINT ["uwsgi"]
CMD ["--ini", "uwsgi.ini"]
, начиная с docker, составляя его так:
version: "3.3"
services:
andrej-cv:
build: ./andrej_cv
container_name: andrej-cv
restart: always
security_opt:
- no-new-privileges
expose:
- 5000
healthcheck:
test: ./pycurl --host=127.0.0.1 --port=5050 --uri=/health_check
interval: 1m30s
timeout: 10s
retries: 3
My docker config daemon:
{
"icc": false,
"userns-remap": "default",
"log-driver": "syslog",
"live-restore": true,
"userland-proxy": false,
"no-new-privileges": true
}
Я подключаюсь к контейнеру с помощью следующей команды (как root): docker exec -it -u root <container_hash> /bin/bash, но при попытке обновления я получил следующее:
root@ed984abff684:/home/andrej# apt-get update
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
Hit:1 http://deb.debian.org/debian buster InRelease
Ign:2 http://deb.debian.org/debian buster-updates InRelease
Err:4 http://deb.debian.org/debian buster-updates Release
Could not open file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster-updates_Release - open (13: Permission denied) [IP: 151.101.36.204 80]
Hit:3 http://security-cdn.debian.org/debian-security buster/updates InRelease
rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
Reading package lists... Done
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (1: Operation not permitted)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (1: Operation not permitted)
E: seteuid 100 failed - seteuid (1: Operation not permitted)
W: Download is performed unsandboxed as root as file '/var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease' couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster_InRelease - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster-updates_InRelease - PrepareFiles (13: Permission denied)
W: Problem unlinking the file /var/lib/apt/lists/partial/deb.debian.org_debian_dists_buster-updates_Release - PrepareFiles (13: Permission denied)
E: The repository 'http://deb.debian.org/debian buster-updates Release' no longer has a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
W: Problem unlinking the file /var/lib/apt/lists/partial/security.debian.org_debian-security_dists_buster_updates_InRelease - PrepareFiles (13: Permission denied)
В контейнере /etc/subuid и /etc/subgid выглядят так (оба):
andrej:100000:65536
На хосте /etc/subuid и /etc/subgid выглядят так (оба):
andrej:100000:65536
dockremap:165536:65536
Apparmor работает на хосте Ubuntu со следующим статусом (только профиль docker-default):
andrej@machine:/etc/apparmor.d$ sudo aa-status
apparmor module is loaded.
38 profiles are loaded.
36 profiles are in enforce mode.
/sbin/dhclient
/snap/core/8268/usr/lib/snapd/snap-confine
/snap/core/8268/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/bin/evince
/usr/bin/evince-previewer
/usr/bin/evince-previewer//sanitized_helper
/usr/bin/evince-thumbnailer
/usr/bin/evince//sanitized_helper
/usr/bin/man
/usr/lib/NetworkManager/nm-dhcp-client.action
/usr/lib/NetworkManager/nm-dhcp-helper
/usr/lib/connman/scripts/dhclient-script
/usr/lib/cups/backend/cups-pdf
/usr/lib/snapd/snap-confine
/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
/usr/sbin/cups-browsed
/usr/sbin/cupsd
/usr/sbin/cupsd//third_party
/usr/sbin/ippusbxd
/usr/sbin/tcpdump
docker-default
libreoffice-senddoc
libreoffice-soffice//gpg
libreoffice-xpdfimport
man_filter
man_groff
snap-update-ns.core
snap-update-ns.gnome-calculator
snap-update-ns.gnome-characters
snap-update-ns.gnome-logs
snap-update-ns.gnome-system-monitor
snap.core.hook.configure
snap.gnome-calculator.gnome-calculator
snap.gnome-characters.gnome-characters
snap.gnome-logs.gnome-logs
snap.gnome-system-monitor.gnome-system-monitor
2 profiles are in complain mode.
libreoffice-oopslash
libreoffice-soffice
17 processes have profiles defined.
14 processes are in enforce mode.
docker-default (1101)
docker-default (1102)
docker-default (1111)
docker-default (1600)
docker-default (1728)
docker-default (1729)
docker-default (1730)
docker-default (1731)
docker-default (1732)
docker-default (1798)
docker-default (1799)
docker-default (1800)
docker-default (1801)
docker-default (1802)
0 processes are in complain mode.
3 processes are unconfined but have a profile defined.
/sbin/dhclient (491)
/usr/sbin/cups-browsed (431)
/usr/sbin/cupsd (402)
Se linux Кажется, он отключен, поскольку нет файла /etc/selinux/config, а команды getenfoce и sestatus недоступны.
Также команда su andrej выполняется как root (где andrej является непривилегированным пользователем в контейнере ) ошибки с su: cannot set groups: Operation not permitted