我正在关注文章中链接的以下youtube视频,该视频允许docker容器获取主机的root访问权限。
有一些尚不清楚的步骤,有人可以解释一下他们如何进一步工作吗?
https://www.lvh.io/posts/dont-expose-the-docker-socket-not-even-to-a-container.html
Step 1> Bind mount /var/run/docker.sock from host to container
Step 2> Install docker in container <<< at this stage I see that docker ps
-a shows all the containers which are present on the host.
**QUESTION:** How can the container see the containers present on the host? Is it because dockerd on the new container is using /var/run/docker.sock on the host? netstat/ss in the new container doesn't show anything..
Step 3> Run another container from the 1st container. Pass the following parameters to it:
docker run -dit -v /:/host ubuntu
Intention of this is to mount / from host filesystem to /host in the 2nd container being created
**QUESTION:** How does the 1st container have access to / (being filesystem of the host?)
谢谢。
答案 0 :(得分:2)
Docker在主机上以service的身份运行。该service通过套接字与客户端进行通信,该套接字默认为unix套接字:unix:/var/run/docker.sock。
当您与任何容器共享此套接字时,该容器将获得对docker守护程序的完全访问权限。容器可以从那里启动其他容器,删除容器/卷/等等,甚至可以随意将卷从主机映射到新容器,例如,如您的问题中-v /:/host所述。这样做将使容器对/host/中的主机文件系统具有根访问权限。
简而言之:您应该小心地与任何您不信任的容器共享这个宝贵的套接字。在某些情况下,共享套接字是有意义的(例如portainer:用作Docker管理GUI的容器)。