Docker 设置特权级运行的容器
1 背景知识
有的时候我们需要容器具备更多的权限,比如操作内核模块,控制 swap 交换分区,挂载 USB 磁盘,修改 MAC 地址等。本实验中我们给予容器这些权限,仅仅通过一个简单的 --privileged=true 的参数。
2 关闭超级权限
1、创建 kcp_centos01,一个不具备特权参数的容器
docker run -ti -h node111 --name kcm_centos01 --network host centos:7.2.1511 /bin/bash
2、安装 iproute 软件包。
yum install iproute -y
3、查看容器的 IP 地址和 MAC 地址信息。
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:73:e1:51 brd ff:ff:ff:ff:ff:ff
inet 192.168.40.111/24 brd 192.168.40.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe73:e151/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 500
link/ether 52:54:00:62:ff:61 brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:96:f5:99:ff brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:96ff:fef5:99ff/64 scope link
valid_lft forever preferred_lft forever
4、修改 mac 地址。
ip link set eno16777736 address 00:01:02:03:04:05
RTNETLINK answers: Operation not permitted
Note
这里命令会修改失败。
3 开启超级权限
1、创建 kcp_centos01,一个不具备特权参数的容器
docker run -ti --privileged=true -h node112 --name kcm_centos02 --network host centos:7.2.1511 /bin/bash
2、安装 iproute 软件包。
yum install iproute -y
3、查看容器的 IP 地址和 MAC 地址信息。
ip a
4、修改 mac 地址。
ip link set eno16777736 address 00:01:02:03:04:05
5、查看修改后的结果。
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:01:02:03:04:05 brd ff:ff:ff:ff:ff:ff
inet 192.168.40.111/24 brd 192.168.40.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe73:e151/64 scope link
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
4: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 500
link/ether 52:54:00:62:ff:61 brd ff:ff:ff:ff:ff:ff
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:96:f5:99:ff brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:96ff:fef5:99ff/64 scope link
valid_lft forever preferred_lft forever
Note
这里修改宿主机的MAC 地址将会成功。
4 查看容器详细信息
docker inspect kcm_centos01 | grep Privileged
docker inspect kcm_centos02 | grep Privileged
