Below is the content of /etc/subuid on my system.
On host
#cat /etc/subuid
incgnito:100000:65536
$ id -u
1000
1000 is UID of user incgnito
Now as per above content, UID 0 on container should be mapped to UID 100000 on system, but after logging to container , I found UID 0 inside container is mapped to UID 1000 on my system.
On Container
# cat /proc/1/uid_map
0 1000 1
1 100000 65536
Can anyone help me to understand this concept?
Related
I would like to get the host mount path from inside docker container. I can only find "docker inspect" commands which can get the information from hosts. Could anyone help on that? Thanks.
You can use variables if it's just a PATH.
You can write some path infomations in file, map the file into Docker and parse it with docker id.
eg:
# docker_id
head -1 /proc/self/cgroup|cut -d/ -f3
>>> ...
{
"docker_id1": {
"paths": [
"/test:/home",
"/test1:/home1"
]
}
}
or use docker inspect file
Or you can cat /proc/mounts in contains inside, it is contains mounts infomations
cgroup /sys/fs/cgroup/freezer cgroup ro,nosuid,nodev,noexec,relatime,freezer 0 0
mqueue /dev/mqueue mqueue rw,nosuid,nodev,noexec,relatime 0 0
shm /dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k 0 0
/dev/mapper/VolGroup00-LogVol03 /usr/share/elasticsearch/data xfs rw,relatime,attr2,inode64,noquota 0 0 # <-- here
proc /proc/bus proc ro,relatime 0 0
proc /proc/fs proc ro,relatime 0 0
I think one way could be to pass it as environmental variable when running container.
docker run -e HOST_MOUNT_PATH=wanted_path -ti ubuntu:18.04 bash
Inside container you can check with
echo $HOST_MOUNT_PATH
I am running a number of Bitnami Docker containers which all uses a user UID of 1001 inside the container. However, these containers needs to write files to a mounted host directory as a user with UID 1010.
Is there a way to achieve this, apart from rewriting all the Dockerfiles involved and rebuilding all these images?
Using Docker Compose 1.25.5 and Docker 19.03.8 on Ubuntu 20.04. The user 1001 in the container also happens to have no name:
I have no name!#32f6e5ad9cbd:/$ id
uid=1001 gid=0(root) groups=0(root)
I have no name!#32f6e5ad9cbd:/$ whoami
whoami: cannot find name for user ID 1001
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
Try with user: 1010:0.
If you use the root (0) for the GID you shouldn't have issues with permissions:
$ id
uid=1010 gid=0(root) groups=0(root)
My real question is, if secrets are mounted as volumes in pods - can they be read if someone gains root access to the host OS.
For example by accessing /var/lib/docker and drilling down to the volume.
If someone has root access to your host with containers, he can do pretty much whatever he wants... Don't forget that pods are just a bunch of containers, which in fact are processes with pids. So for example, if I have a pod called sleeper:
kubectl get pods sleeper-546494588f-tx6pp -o wide
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE
sleeper-546494588f-tx6pp 1/1 Running 1 21h 10.200.1.14 k8s-node-2 <none>
running on the node k8s-node-2. With root access to this node, I can check what pid this pod and its containers have (I am using containerd as container engine, but points below are very similar for docker or any other container engine):
[root#k8s-node-2 /]# crictl -r unix:///var/run/containerd/containerd.sock pods -name sleeper-546494588f-tx6pp -q
ec27f502f4edd42b85a93503ea77b6062a3504cbb7ac6d696f44e2849135c24e
[root#k8s-node-2 /]# crictl -r unix:///var/run/containerd/containerd.sock ps -p ec27f502f4edd42b85a93503ea77b6062a3504cbb7ac6d696f44e2849135c24e
CONTAINER ID IMAGE CREATED STATE NAME ATTEMPT POD ID
70ca6950de10b 8ac48589692a5 2 hours ago Running sleeper 1 ec27f502f4edd
[root#k8s-node-2 /]# crictl -r unix:///var/run/containerd/containerd.sock# inspect 70ca6950de10b | grep pid | head -n 1
"pid": 24180,
And then finally with those information (pid number), I can access "/" mountpoint of this process and check its content including secrets:
[root#k8s-node-2 /]# ll /proc/24180/root/var/run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx. 1 root root 13 Nov 14 13:57 ca.crt -> ..data/ca.crt
lrwxrwxrwx. 1 root root 16 Nov 14 13:57 namespace -> ..data/namespace
lrwxrwxrwx. 1 root root 12 Nov 14 13:57 token -> ..data/token
[root#k8s-node-2 serviceaccount]# cat /proc/24180/root/var/run/secrets/kubernetes.io/serviceaccount/namespace ; echo
default
[root#k8s-node-2 serviceaccount]# cat /proc/24180/root/var/run/secrets/kubernetes.io/serviceaccount/token | cut -d'.' -f 1 | base64 -d ;echo
{"alg":"RS256","kid":""}
[root#k8s-node-2 serviceaccount]# cat /proc/24180/root/var/run/secrets/kubernetes.io/serviceaccount/token | cut -d'.' -f 2 | base64 -d 2>/dev/null ;echo
{"iss":"kubernetes/serviceaccount","kubernetes.io/serviceaccount/namespace":"default","kubernetes.io/serviceaccount/secret.name":"default-token-6sbz9","kubernetes.io/serviceaccount/service-account.name":"default","kubernetes.io/serviceaccount/service-account.uid":"42e7f596-e74e-11e8-af81-525400e6d25d","sub":"system:serviceaccount:default:default"}
It is one of the reasons why it is super important to properly secure access to your kubernetes infrastructure.
I am running the docker release of openFOAM. While running openFOAM, I can't access any of the volumes that I have set up in /mnt. I can see them when I run:
bash-4.1$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
sda 8:0 0 29.8G 0 disk
|-sda1 8:1 0 200M 0 part
|-sda2 8:2 0 500M 0 part
`-sda3 8:3 0 29.1G 0 part
`-luks-c551009c-5ab5-4526-85fa-45105a445734 (dm-0)
253:0 0 29.1G 0 crypt
|-korora_a00387863--6-root (dm-1) 253:1 0 26.1G 0 lvm /etc/passwd
`-korora_a00387863--6-swap (dm-2) 253:2 0 3G 0 lvm
sdb 8:16 0 465.8G 0 disk
|-sdb1 8:17 0 137.9G 0 part
|-sdb2 8:18 0 158.7G 0 part
`-sdb3 8:19 0 169.2G 0 part
sdg 8:96 1 15G 0 disk
loop0 7:0 0 100G 0 loop
`-docker-253:1-265037-pool (dm-3) 253:3 0 100G 0 dm
`-docker-253:1-265037-10f82f41512f788ec85215e8764cd3c5b0973d548fe4db2fcbcbaf50db6a4b9c (dm-4)
253:4 0 10G 0 dm /
loop1 7:1 0 2G 0 loop
`-docker-253:1-265037-pool (dm-3) 253:3 0 100G 0 dm
`-docker-253:1-265037-10f82f41512f788ec85215e8764cd3c5b0973d548fe4db2fcbcbaf50db6a4b9c (dm-4)
253:4 0 10G 0 dm /
However, none of these show up in /dev, so I don't know how to mount the volumes that I want. It seems like there is a better solution than manually mounting the volume each time I use openFOAM. Any ideas would be welcome, I don't understand the docker documentation.
You haven't show us exactly what you mean by "volumes set up in /mnt", so there will be a lot of guesswork in this answer w/r/t what you're actually trying to do.
If you are trying to mount block devices on your host and make them available in your container, the normally way you would go about this is:
Mount the device somewhere on your host (e.g., in /mnt)
Use the -v argument to docker run to expose that mountpoint inside a container, as in:
docker run -v /mnt/volume1:/volume1 alpine sh
The above command line would expose /mnt/volume1 on the host as /volume1 inside the container.
If you find that you are often running the same container with the same set of volumes, and you're tired of long command lines, just drop the docker run command into a shell script, or consider using something like docker-compose to help automate things.
i am running application in docker container only and not on host machine.. Application has some process ID on docker container. That application also has process id on host . Process Id on host and process ID on container are differerent. How can I see process ID of application running on docker container from host ? How can I map the process ID of application running on container only (and not on host ) with process ID of this application on host ? I searched on internet , but could not find correct set of commands
Running a command like this should get you the PID of the container's main process (ID 1) on the host.
docker container top
$ docker container top cf1b
UID PID PPID C STIME TTY TIME CMD
root 3289 3264 0 Aug24 pts/0 00:00:00 bash
root 9989 9963 99 Aug24 ? 6-07:24:43 java -javaagent:/apps/docker-custom/newrelic/newrelic.jar -Xmx4096m -Xms4096m -XX:+UseG1GC -XX:+UseStringDeduplication -XX:-TieredCompilation -XX:+ParallelRefProcEnabled -jar /apps/service/app.jar
So in this case PID 1 in my container maps to ID 9989 on the host.
If a process is indeed ONLY in your container, that becomes more chellenging. It You can use tools like nsenter to peek into the name spaces but if you have exec privelages to your container then that would achieve the same thing, but the docker container top command on the host combined with the ps command within the container can give you an idea of what is happening.
If you can clarify what your end goal is, we might be able to provide more clear guidance.
In order to get the mapping between container process ID and host process ID, one could run ps -ef on container and docker top <container> on the host. The CMD column present in both of these outputs will help in the decision. Below is the sample output in my environment:
container1:/$ ps -ef
UID PID PPID C STIME TTY TIME CMD
2033 10 0 0 11:08 pts/0 00:00:00 postgres -c config_file=/etc/postgresql/postgresql_primary.conf
host1# docker top warehouse_db
UID PID PPID C STIME TTY TIME CMD
bbharati 11677 11660 0 11:08 pts/0 00:00:00 postgres -c config_file=/etc/postgresql/postgresql_primary.conf
As we can see, the container process with PID=10 maps to the host process with PID=11677