Docker kasutamine operatsioonisüsteemiga Debian - rootless
Allikas: Imre kasutab arvutit
Mine navigeerimisribaleMine otsikasti
Sissejuhatus
TODO
Ettevalmistamine
Paigaldatakse Debian v. 13 ning tarkvara docker-ce tootja repost, 20260413 on v. 1.29
# apt-get install uidmap bridge-utils # modprobe nf_tables
Ning tekitamine olukorra, et arvutis on paigaldatud docker-ce tarkvara, aga ühtegi protsessi ei ole käivitatud
# systemctl disable --now docker.service docker.socket # rm /var/run/docker.sock # reboot
Rootless docker kasutamine
Logitakse süsteemi sisse kasutajana (mitte 'su - kaustaja') kuna on oluline 'systemd --user' keskkonna jaoks olulised omadused, nt
$ env | grep XDG $ XDG_RUNTIME_DIR=/run/user/1000
Paigaldame-seadistame-käivitame rootless docker lahenduse
kasutaja@dh-minio-01:~$ dockerd-rootless-setuptool.sh install
[INFO] Creating /home/kasutaja/.config/systemd/user/docker.service
[INFO] starting systemd service docker.service
+ systemctl --user start docker.service
+ sleep 3
+ systemctl --user --no-pager --full status docker.service
● docker.service - Docker Application Container Engine (Rootless)
Loaded: loaded (/home/kasutaja/.config/systemd/user/docker.service; disabled; preset: enabled)
Active: active (running) since Mon 2026-04-13 14:40:20 EEST; 3s ago
Invocation: 8f913ff96e234029b5789105d9cdeb2b
Docs: https://docs.docker.com/go/rootless/
Main PID: 963 (rootlesskit)
Tasks: 34
Memory: 148M (peak: 148.5M)
CPU: 279ms
CGroup: /user.slice/user-1000.slice/user@1000.service/app.slice/docker.service
├─ 963 rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─ 974 /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
├─ 995 slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 974 tap0
├─1003 dockerd
└─1024 containerd --config /run/user/1000/docker/containerd/containerd.toml
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010977863+03:00" level=warning msg="WARNING: No io.max (rbps) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010983413+03:00" level=warning msg="WARNING: No io.max (wbps) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010988243+03:00" level=warning msg="WARNING: No io.max (riops) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.010992940+03:00" level=warning msg="WARNING: No io.max (wiops) support"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.011008069+03:00" level=info msg="Docker daemon" commit=daa0cb7 containerd-snapshotter=true storage-driver=overlayfs version=29.4.0
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.011096574+03:00" level=info msg="Initializing buildkit"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.147325130+03:00" level=info msg="Completed buildkit initialization"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.154119507+03:00" level=info msg="Daemon has completed initialization"
Apr 13 14:40:20 dh-minio-01 dockerd-rootless.sh[1003]: time="2026-04-13T14:40:20.154203253+03:00" level=info msg="API listen on /run/user/1000/docker.sock"
Apr 13 14:40:20 dh-minio-01 systemd[803]: Started docker.service - Docker Application Container Engine (Rootless).
+ DOCKER_HOST=unix:///run/user/1000/docker.sock /usr/bin/docker version
Client: Docker Engine - Community
Version: 29.4.0
API version: 1.54
Go version: go1.26.1
Git commit: 9d7ad9f
Built: Tue Apr 7 08:35:38 2026
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 29.4.0
API version: 1.54 (minimum version 1.40)
Go version: go1.26.1
Git commit: daa0cb7
Built: Tue Apr 7 08:35:38 2026
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v2.2.2
GitCommit: 301b2dac98f15c27117da5c8af12118a041a31d9
runc:
Version: 1.3.4
GitCommit: v1.3.4-0-gd6d73eb8
docker-init:
Version: 0.19.0
GitCommit: de40ad0
rootlesskit:
Version: 2.3.6
ApiVersion: 1.1.1
NetworkDriver: slirp4netns
PortDriver: builtin
StateDir: /run/user/1000/dockerd-rootless
slirp4netns:
Version: 1.2.1
GitCommit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194
+ systemctl --user enable docker.service
Created symlink '/home/kasutaja/.config/systemd/user/default.target.wants/docker.service' → '/home/kasutaja/.config/systemd/user/docker.service'.
[INFO] Installed docker.service successfully.
[INFO] To control docker.service, run: `systemctl --user (start|stop|restart) docker.service`
[INFO] To run docker.service on system startup, run: `sudo loginctl enable-linger kasutaja`
[INFO] Creating CLI context "rootless"
Successfully created context "rootless"
[INFO] Using CLI context "rootless"
Current context is now "rootless"
[INFO] Make sure the following environment variable(s) are set (or add them to ~/.bashrc):
export PATH=/usr/bin:$PATH
[INFO] Some applications may require the following environment variable too:
export DOCKER_HOST=unix:///run/user/1000/docker.sock
Kasutamine
rootless konteineri käivitamiseks sobib öelda
kasutaja@dh-minio-01:~$ docker run -d --rm --name nginx-01 -p 8081:80 nginx
tulemusena tekivad sellised protsessid
kasutaja@dh-minio-01:~$ ps auxf | egrep "kasutaja|nginx" root 2081 0.0 0.2 19784 12876 ? Ss 14:53 0:00 \_ sshd-session: kasutaja [priv] kasutaja 2102 0.2 0.1 19944 7420 ? S 14:53 0:00 \_ sshd-session: kasutaja@pts/0 kasutaja 2161 0.0 0.0 9080 5884 pts/0 Ss 14:53 0:00 \_ -bash kasutaja 2490 0.0 0.0 9936 4680 pts/0 R+ 14:54 0:00 \_ ps auxf kasutaja 2491 0.0 0.0 6520 2296 pts/0 S+ 14:54 0:00 \_ grep -E kasutaja|nginx kasutaja 2086 0.1 0.2 22160 12324 ? Ss 14:53 0:00 /usr/lib/systemd/systemd --user kasutaja 2088 0.0 0.0 24620 3844 ? S 14:53 0:00 \_ (sd-pam) kasutaja 2097 0.0 0.2 1713992 17724 ? Ssl 14:53 0:00 \_ rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh kasutaja 2113 0.0 0.2 1935188 14796 ? Sl 14:53 0:00 | \_ /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=slirp4netns --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=builtin --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh kasutaja 2140 0.2 1.4 2094264 89080 ? Sl 14:53 0:00 | | \_ dockerd kasutaja 2166 0.2 0.9 1793652 54648 ? Ssl 14:53 0:00 | | \_ containerd --config /run/user/1000/docker/containerd/containerd.toml kasutaja 2439 0.0 0.1 1599260 6548 ? Sl 14:53 0:00 | | \_ /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd kasutaja 2445 0.0 0.1 1746724 6632 ? Sl 14:53 0:00 | | \_ /usr/bin/docker-proxy -proto tcp -host-ip ::1 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd kasutaja 2132 0.0 0.0 6160 3404 ? S 14:53 0:00 | \_ slirp4netns --mtu 65520 -r 3 --disable-host-loopback --enable-sandbox --enable-seccomp 2113 tap0 kasutaja 2389 0.0 0.2 1235348 12708 ? Sl 14:53 0:00 \_ /usr/bin/containerd-shim-runc-v2 -namespace moby -id 9bb6eeb480cef2ad0971629fa6720c3664b2185e8a83babdd7dd214321cc3449 -address /run/user/1000/docker/containerd/containerd.sock kasutaja 2416 0.0 0.1 14860 8892 ? Ss 14:53 0:00 | \_ nginx: master process nginx -g daemon off; 100100 2486 0.0 0.0 15316 3888 ? S 14:53 0:00 | \_ nginx: worker process 100100 2487 0.0 0.0 15316 3832 ? S 14:53 0:00 | \_ nginx: worker process kasutaja 2408 0.0 0.0 8196 4512 ? Ss 14:53 0:00 \_ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
kus
- dockerd jt protsesside omanik on kasutaja 'kasutaja'
- konteineri sees töötava root kaustaja protsessi kasutajaks host peal on kasutaja 'kasutaja'
- konteineri sees töötava tavakasutaja protsessi kasutajaks host peal on kasutaja uid=100100
- host peal kuulab rootlesskit protsess, sisuliselt töötab host - container vahendamisega slirp4netns tarkvara
subkasutaja-group teemaga tegeleb uidmap
kasutaja@dh-minio-01:~$ cat /etc/subuid /etc/subgid kasutaja:100000:65536 kasutaja:100000:65536
exposed pordiga tegeleb rootlesskit protsess
kasutaja@dh-minio-01:~$ netstat -lnpt ... Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:8081 0.0.0.0:* LISTEN 963/rootlesskit tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 :::8081 :::* LISTEN 963/rootlesskit
Konteineris on L2 võrguliides
kasutaja@dh-minio-01:~$ docker exec -ti nginx-01 ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether ee:7a:2f:a7:a8:85 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
host peal puudub L2 bridge
root@dh-minio-01:~# brctl show root@dh-minio-01:~#
Tunnistus sellest, et liiklust konteineri ja ümbruse vahel käib läbi slirp4netns protsessi, pingimise ajal
root@dh-minio-01:~# strace -p 2132
strace: Process 2132 attached
restart_syscall(<... resuming interrupted poll ...>) = 0
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 1 ([{fd=6, revents=POLLIN}])
read(6, "RU\n\0\2\2\2565a\276^!\10\0E\0\0T\211\355@\0?\1\225H\n\0\2d\10\10"..., 65536) = 98
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_ICMP) = 3
sendto(3, "\10\0I\304\0z\0\1\377\332\334i\0\0\0\0\4\251\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("8.8.8.8")}, 16) = 64
poll([{fd=6, events=POLLIN|POLLHUP}, {fd=3, events=POLLIN|POLLERR|POLLHUP}], 2, 499) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, "\0\0R:\0\4\0\1\377\332\334i\0\0\0\0\4\251\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 65500, 0, NULL, NULL) = 64
write(6, "\2565a\276^!RU\n\0\2\2\10\0E\0\0T\v\22@\0\377\1T#\10\10\10\10\n\0"..., 98) = 98
close(3) = 0
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 1 ([{fd=6, revents=POLLIN}])
read(6, "RU\n\0\2\2\2565a\276^!\10\0E\0\0T\212&@\0?\1\225\17\n\0\2d\10\10"..., 65536) = 98
socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC, IPPROTO_ICMP) = 3
sendto(3, "\10\0\20\276\0z\0\2\0\333\334i\0\0\0\0<\256\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 64, 0, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("8.8.8.8")}, 16) = 64
poll([{fd=6, events=POLLIN|POLLHUP}, {fd=3, events=POLLIN|POLLERR|POLLHUP}], 2, 499) = 1 ([{fd=3, revents=POLLIN}])
recvfrom(3, "\0\0\0313\0\5\0\2\0\333\334i\0\0\0\0<\256\16\0\0\0\0\0\20\21\22\23\24\25\26\27"..., 65500, 0, NULL, NULL) = 64
write(6, "\2565a\276^!RU\n\0\2\2\10\0E\0\0T\v\23@\0\377\1T\"\10\10\10\10\n\0"..., 98) = 98
close(3) = 0
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000) = 0 (Timeout)
poll([{fd=6, events=POLLIN|POLLHUP}], 1, 1000^Cstrace: Process 2132 detached
Passt
root@dh-minio-01:~# apt-get install passt
ning tekitada fail
kasutaja@dh-minio-01:~$ cat ~/.config/systemd/user/docker.service.d/override.conf [Service] # This tells the RootlessKit manager to use pasta instead of slirp4netns Environment="DOCKERD_ROOTLESS_ROOTLESSKIT_NET=pasta" Environment="DOCKER_IGNORE_BR_NETFILTER_ERROR=1
ja kehtestada muudatus
kasutaja@dh-minio-01:~$ systemctl --user daemon-reload kasutaja@dh-minio-01:~$ systemctl --user restart docker.service
Kaasnevad protsessid
kasutaja@dh-minio-01:~$ ps auxf | egrep "kasutaja|1001" root 10035 0.0 0.2 19784 12796 ? Ss 16:16 0:00 \_ sshd-session: kasutaja [priv] kasutaja 10042 0.1 0.1 19944 7516 ? S 16:16 0:00 \_ sshd-session: kasutaja@pts/0 kasutaja 10043 0.0 0.0 9080 5968 pts/0 Ss 16:16 0:00 \_ -bash kasutaja 10233 0.0 0.0 9936 4620 pts/0 R+ 16:17 0:00 \_ ps auxf kasutaja 10234 0.0 0.0 6520 2236 pts/0 S+ 16:17 0:00 \_ grep -E kasutaja|1001 kasutaja 4722 0.0 0.2 22152 12256 ? Ss 15:10 0:00 /usr/lib/systemd/systemd --user kasutaja 4724 0.0 0.0 24620 3836 ? S 15:10 0:00 \_ (sd-pam) kasutaja 4733 0.0 0.2 1787724 15524 ? Ssl 15:10 0:00 \_ rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh kasutaja 4748 0.0 0.2 1640260 14040 ? Sl 15:10 0:00 | \_ /proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh kasutaja 4779 0.0 1.5 2094264 91884 ? Sl 15:10 0:00 | \_ dockerd kasutaja 4798 0.0 0.8 1793652 52500 ? Ssl 15:10 0:03 | \_ containerd --config /run/user/1000/docker/containerd/containerd.toml kasutaja 10145 0.0 0.1 1599260 6520 ? Sl 16:16 0:00 | \_ /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd kasutaja 10151 0.0 0.1 1672992 8580 ? Sl 16:16 0:00 | \_ /usr/bin/docker-proxy -proto tcp -host-ip :: -host-port 8081 -container-ip 172.17.0.2 -container-port 80 -use-listen-fd kasutaja 4776 0.1 0.3 206232 23952 ? Ss 15:10 0:07 \_ pasta --stderr --ns-ifname=tap0 --mtu=65520 --config-net --address=10.0.2.100 --netmask=24 --gateway=10.0.2.2 --dns-forward=10.0.2.3 --no-map-gw --ipv4-only --tcp-ports=auto --udp-ports=auto --host-lo-to-ns-lo 4748 kasutaja 10101 0.0 0.2 1235348 14480 ? Sl 16:16 0:00 \_ /usr/bin/containerd-shim-runc-v2 -namespace moby -id fa0f7f85c8ee30f73f4b3e6acf818d0adaf3e75192f8122119fbc5cce3c8b848 -address /run/user/1000/docker/containerd/containerd.sock kasutaja 10129 0.0 0.1 14860 8968 ? Ss 16:16 0:00 | \_ nginx: master process nginx -g daemon off; 100100 10187 0.0 0.0 15316 4004 ? S 16:16 0:00 | \_ nginx: worker process 100100 10188 0.0 0.0 15316 3948 ? S 16:16 0:00 | \_ nginx: worker process kasutaja 10121 0.0 0.0 8196 4520 ? Ss 16:16 0:00 \_ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
Võrk
dockerless lahenduse puhul kus töötab kaks konteinerit on selline komplekt namespace'sisid
kasutaja@dh-minio-01:~$ lsns
NS TYPE NPROCS PID USER COMMAND
4026531834 time 15 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531835 cgroup 9 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531836 pid 9 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531837 user 4 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531838 uts 9 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531839 ipc 9 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531840 net 4 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026531841 mnt 4 15754 kasutaja rootlesskit --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026532408 user 11 15768 kasutaja ├─/proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026532409 mnt 5 15768 kasutaja ├─/proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026532410 net 5 15768 kasutaja └─/proc/self/exe --state-dir=/run/user/1000/dockerd-rootless --net=pasta --mtu=65520 --slirp4netns-sandbox=auto --slirp4netns-seccomp=auto --disable-host-loopback --port-driver=implicit --copy-up=/etc --copy-up=/run --propagation=rslave /usr/bin/dockerd-rootless.sh
4026532479 mnt 3 16608 kasutaja nginx: master process nginx -g daemon off;
4026532480 uts 3 16608 kasutaja nginx: master process nginx -g daemon off;
4026532481 ipc 3 16608 kasutaja nginx: master process nginx -g daemon off;
4026532482 pid 3 16608 kasutaja nginx: master process nginx -g daemon off;
4026532483 cgroup 3 16608 kasutaja nginx: master process nginx -g daemon off;
4026532484 net 3 16608 kasutaja nginx: master process nginx -g daemon off;
4026532544 mnt 3 23027 kasutaja nginx: master process nginx -g daemon off;
4026532545 uts 3 23027 kasutaja nginx: master process nginx -g daemon off;
4026532546 ipc 3 23027 kasutaja nginx: master process nginx -g daemon off;
4026532547 pid 3 23027 kasutaja nginx: master process nginx -g daemon off;
4026532548 cgroup 3 23027 kasutaja nginx: master process nginx -g daemon off;
4026532549 net 3 23027 kasutaja nginx: master process nginx -g daemon off;
host namespace
kasutaja@dh-minio-01:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:24:11:c5:4e:17 brd ff:ff:ff:ff:ff:ff
altname enp6s18
altname enxbc2411c54e17
inet 192.168.10.163/24 brd 192.168.10.255 scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::be24:11ff:fec5:4e17/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
kasutaja@dh-minio-01:~$ ip route
default via 192.168.10.254 dev ens18 onlink
192.168.10.0/24 dev ens18 proto kernel scope link src 192.168.10.163
pasta namespace
kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65520 qdisc fq_codel state UNKNOWN group default qlen 1000
link/ether fe:52:03:ef:e5:0f brd ff:ff:ff:ff:ff:ff
inet 10.0.2.100/24 scope global tap0
valid_lft forever preferred_lft forever
inet6 fe80::fc52:3ff:feef:e50f/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether e6:f7:d8:4b:59:9c brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::e4f7:d8ff:fe4b:599c/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: vethb88b18b@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether ea:79:83:7c:15:6f brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::e879:83ff:fe7c:156f/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: veth5786bb7@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 2a:51:db:41:49:c2 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::2851:dbff:fe41:49c2/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
konteiner nginx-01 namespace
kasutaja@dh-minio-01:~$ nsenter -U -n -t 16608 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether ce:b1:f5:5e:e5:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
kasutaja@dh-minio-01:~$ nsenter -U -n -t 16608 ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.2
konteiner nginx-02 namespace
kasutaja@dh-minio-01:~$ nsenter -U -n -t 23027 ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether ae:0a:ff:8d:f6:c6 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.17.0.3/16 brd 172.17.255.255 scope global eth0
valid_lft forever preferred_lft forever
kasutaja@dh-minio-01:~$ nsenter -U -n -t 23027 ip route
default via 172.17.0.1 dev eth0
172.17.0.0/16 dev eth0 proto kernel scope link src 172.17.0.3
pasta namespace sisaldab paketifiltrit, mis kontrollib konteinerite vahelist liiklust, nt
kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 /usr/sbin/iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 18 packets, 1272 bytes)
pkts bytes target prot opt in out source destination
21 1296 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 23 packets, 1463 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 27 packets, 1551 bytes)
pkts bytes target prot opt in out source destination
1 40 MASQUERADE all -- * br-808f8c849550 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
0 0 MASQUERADE all -- * !br-808f8c849550 172.20.0.0/16 0.0.0.0/0
3 208 MASQUERADE all -- * br-9cca8bde00d9 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
7 420 MASQUERADE all -- * !br-9cca8bde00d9 172.19.0.0/16 0.0.0.0/0
3 208 MASQUERADE all -- * br-5786280ad47d 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
3 180 MASQUERADE all -- * !br-5786280ad47d 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * docker0 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match src-type LOCAL
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.17.0.3 172.17.0.3 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.18.0.2 172.18.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.18.0.3 172.18.0.3 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.19.0.2 172.19.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.19.0.3 172.19.0.3 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.20.0.2 172.20.0.2 tcp dpt:80
0 0 MASQUERADE tcp -- * * 172.20.0.3 172.20.0.3 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
2 96 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:172.17.0.2:80
4 192 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8082 to:172.17.0.3:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8091 to:172.18.0.2:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8092 to:172.18.0.3:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8072 to:172.19.0.2:80
3 144 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8071 to:172.19.0.3:80
4 192 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8061 to:172.20.0.2:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8062 to:172.20.0.3:80
Kui paketifilter abil läbipääs lubada, siis ühe docker-compose konteinerid saavad pöörduda teise docker-compose konteinerite set poole
kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 /usr/sbin/iptables -F -t raw kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 /usr/sbin/iptables -F -t nat kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 /usr/sbin/iptables -F -t filter
Privileegide kasutamine paistab selliselt, root kasutaja saab igasse namespace'i ligi
root@dh-minio-01:~# nsenter -n -t 15768 id uid=0(root) gid=0(root) groups=0(root) root@dh-minio-01:~# nsenter -U -n -t 15768 id uid=0(root) gid=0(root) groups=0(root)
Tavakasutaja saab ligi oma namespace'i ja ei saa süsteemi põhi-namespace'i
kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 id uid=0(root) gid=0(root) groups=0(root) kasutaja@dh-minio-01:~$ nsenter -n -t 15768 id nsenter: reassociate to namespaces failed: Operation not permitted
bridgede esitamine passt namespace peal
kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 ip link show type bridge
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether e6:f7:d8:4b:59:9c brd ff:ff:ff:ff:ff:ff
11: br-5786280ad47d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 96:33:1b:18:82:8a brd ff:ff:ff:ff:ff:ff
18: br-9cca8bde00d9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 76:d7:dc:67:ef:43 brd ff:ff:ff:ff:ff:ff
21: br-808f8c849550: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether 96:ee:39:2f:8d:0b brd ff:ff:ff:ff:ff:ff
kasutaja@dh-minio-01:~$ nsenter -U -n -t 15768 /usr/sbin/brctl show
bridge name bridge id STP enabled interfaces
docker0 8000.e6f7d84b599c no vethb88b18b
veth5786bb7
br-5786280ad47d 8000.96331b18828a no vethe3d7dd9
veth5e843a2
br-9cca8bde00d9 8000.76d7dc67ef43 no vethd3e7d96
veth55afbda
br-808f8c849550 8000.96ee392f8d0b no vethfcc2787
vethd6b5458
Misc
imre@ubu2110:~$ lsns --tree
NS TYPE NPROCS PID USER COMMAND
4026531837 user 61 1982 imre /usr/bin/pipewire
├─4026531834 time 81 1982 imre /usr/bin/pipewire
├─4026531835 cgroup 81 1982 imre /usr/bin/pipewire
├─4026531836 pid 61 1982 imre /usr/bin/pipewire
├─4026531838 uts 81 1982 imre /usr/bin/pipewire
├─4026531839 ipc 81 1982 imre /usr/bin/pipewire
├─4026531840 net 61 1982 imre /usr/bin/pipewire
├─4026531841 mnt 81 1982 imre /usr/bin/pipewire
└─4026532517 user 0 imre
├─4026532515 pid 2 2736 imre /opt/google/chrome/chrome --type=zygote --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-gua
├─4026532516 net 20 2736 imre /opt/google/chrome/chrome --type=zygote --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-gua
└─4026532586 user 20 2736 imre /opt/google/chrome/chrome --type=zygote --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-gua
├─4026532587 pid 1 2775 imre /opt/google/chrome/chrome --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --crashpad-hand
├─4026532588 pid 1 3402 imre /opt/google/chrome/chrome --type=renderer --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-g
├─4026532589 pid 1 3419 imre /opt/google/chrome/chrome --type=renderer --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-g
├─4026532590 pid 1 2861 imre /opt/google/chrome/chrome --type=renderer --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-g
├─4026532593 pid 1 3371 imre /opt/google/chrome/chrome --type=renderer --crashpad-handler-pid=2727 --enable-crash-reporter=c0209cda-d9e4-46e3-a2f0-6200fcf40683, --change-stack-g
├─4026532594 pid 1 3436 imre /opt/google/chrom ....
imre@ubu2110:~$ nsenter -U -n -t 1982 bash
nsenter: reassociate to namespace 'ns/user' failed: Invalid argument
root@ubu2110:~# nsenter -n -t 1982 bash
root@ubu2110:~#
imre@ubu2110:~$ nsenter -U -n -t 2736 bash
nsenter: reassociate to namespace 'ns/net' failed: Operation not permitted
root@ubu2110:~# nsenter -p -n -t 2736 bash
root@ubu2110:~# ps aux
fatal library error, lookup self
Kasulikud lisamaterjalid
- TODO
