docker run cap-drop=net_bind_service 仍有 nginx 在端口 80 上运行

docker run cap-drop=net_bind_service 仍有 nginx 在端口 80 上运行
docker run --rm --cap-drop=net_bind_service --publish 8080:80 --name nginx nginx

ps --forest -fC nginx
UID          PID    PPID  C STIME TTY          TIME CMD
root      449870  449847  0 12:38 ?        00:00:00 nginx: master process nginx -g daemon off;
101       449929  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449930  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449931  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449932  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449933  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449934  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449935  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449936  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449937  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449938  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449939  449870  0 12:38 ?        00:00:00  \_ nginx: worker process
101       449940  449870  0 12:38 ?        00:00:00  \_ nginx: worker process

所以这个过程没有网络绑定服务,但它能够启动并绑定到端口 80。

getpcaps 449870                      
449870: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep

看到这个:

docker run --rm --privileged --pid container:nginx --network container:nginx -it --volumes-from nginx --name debug nixery.dev/shell/gnugrep/ps/libcap/htop/lsof/iproute2 bash

bash-5.2# ps aufx
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
0            112  0.0  0.0   4936  4184 pts/0    Ss   19:55   0:00 bash
0            123  0.0  0.0   7240  2324 pts/0    R+   19:56   0:00  \_ ps aufx
0              1  0.0  0.0   8940  6052 ?        Ss   19:38   0:00 nginx: master process nginx -g daemon off;
101           29  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           30  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           31  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           32  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           33  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           34  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           35  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           36  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           37  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           38  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           39  0.0  0.0   9328  2564 ?        S    19:38   0:00 nginx: worker process
101           40  0.0  0.0   9328  2568 ?        S    19:38   0:00 nginx: worker process

bash-5.2# ss -ltnp

State                Recv-Q               Send-Q                              Local Address:Port                               Peer Address:Port               Process                                                                                                                                                        
LISTEN               0                    511                                       0.0.0.0:80                                      0.0.0.0:*                   users:(("nginx",pid=40,fd=6),("nginx",pid=39,fd=6),("nginx",pid=38,fd=6),("nginx",pid=37,fd=6),("nginx",pid=36,fd=6),("nginx",pid=35,fd=6),("nginx",pid=34,fd=6),("nginx",pid=33,fd=6),("nginx",pid=32,fd=6),("nginx",pid=31,fd=6),("nginx",pid=30,fd=6),("nginx",pid=29,fd=6),("nginx",pid=1,fd=6))
LISTEN               0                    511                                          [::]:80                                         [::]:*                   users:(("nginx",pid=40,fd=7),("nginx",pid=39,fd=7),("nginx",pid=38,fd=7),("nginx",pid=37,fd=7),("nginx",pid=36,fd=7),("nginx",pid=35,fd=7),("nginx",pid=34,fd=7),("nginx",pid=33,fd=7),("nginx",pid=32,fd=7),("nginx",pid=31,fd=7),("nginx",pid=30,fd=7),("nginx",pid=29,fd=7),("nginx",pid=1,fd=7))

那么为什么容器能够启动并绑定到端口 80 但未net_bind_service列出该进程帽子

答案1

Docker 不是启用特权绑定到低端口(和其他功能),而是将需要特权的低端口值降低为 0,从而消除障碍并允许任何非特权进程绑定到任何端口:

daemon/oci_linux.go:

      // allow opening any port less than 1024 without CAP_NET_BIND_SERVICE
      if sysctlExists("net.ipv4.ip_unprivileged_port_start") {
          s.Linux.Sysctl["net.ipv4.ip_unprivileged_port_start"] = "0"
      }

除非是主机的网络或配置另有说明。与上面的几行类似,在非无根容器上允许 ping(过去需要特权)。

相关内容