在Ubuntu上,实现容器隔离(用户名称空间)、more/proc/[pid]/gid_映射和nothing输出
当我学习docker时,[用户名称空间]一章中的代码:在Ubuntu上,实现容器隔离(用户名称空间)、more/proc/[pid]/gid_映射和nothing输出,c,linux,docker,ubuntu-16.04,linux-namespaces,C,Linux,Docker,Ubuntu 16.04,Linux Namespaces,当我学习docker时,[用户名称空间]一章中的代码: 演示的意义是使用[用户名称空间]实现: 容器外是普通用户权限,容器内是根权限 #define _GNU_SOURCE #include <sys/types.h> #include <sys/wait.h> #include <stdio.h> #include <sched.h> #include <signal.h> #include <unistd.h> #inc
演示的意义是使用[用户名称空间]实现:
容器外是普通用户权限,容器内是根权限
#define _GNU_SOURCE
#include <sys/types.h>
#include <sys/wait.h>
#include <stdio.h>
#include <sched.h>
#include <signal.h>
#include <unistd.h>
#include <sys/capability.h> // sudo apt install libcap-dev
#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];
char* const child_args[] = {
"/bin/bash",
NULL
};
void set_uid_map(pid_t pid, int inside_id, int outside_id, int length){
char path[256];
sprintf(path, "/proc/%d/uid_map", getpid());
FILE* uid_map = fopen(path, "w");
fprintf(uid_map, "%d %d %d", inside_id, outside_id, length);
fclose(uid_map);
}
void set_gid_map(pid_t pid, int inside_id, int outside_id, int length){
char path[256];
sprintf(path, "/proc/%d/gid_map", getpid());
FILE* gid_map = fopen(path, "w");
//printf("*****gid---Pid: %d *****\n", getpid());
fprintf(gid_map, "%d %d %d", inside_id, outside_id, length);
fclose(gid_map);
}
int child_main(void* args){
cap_t caps;
printf("In the Child process !\n");
//sethostname("NewNameSpace", 12);
//cap_t caps;
printf("*****Pid: %d *****\n", getpid());
//set_uid_map(getpid(), 0, 1000, 1);
set_gid_map(getpid(), 0, 1000, 1);
set_uid_map(getpid(), 0, 1000, 1);
printf("eUID = %ld; eGID = %ld; \n\n", (long)geteuid(), (long)getegid());
caps = cap_get_proc();
printf("capabilities: %s\n", cap_to_text(caps, NULL));
execv(child_args[0], child_args);
return 1;
}
int main(){
printf("Start: \n");
//int child_pid = clone(child_main, child_stack + STACK_SIZE, CLONE_NEWUSER | CLONE_NEWNET | CLONE_NEWNS | CLONE_NEWPID | CLONE_NEWIPC | CLONE_NEWUTS | SIGCHLD, NULL);
int child_pid = clone(child_main, child_stack + STACK_SIZE, CLONE_NEWUSER | SIGCHLD, NULL);
waitpid(child_pid, NULL, 0);
printf("Already Exit \n");
return 0;
}
并展示:
Start:
In the Child process !
*****Pid: 24072 *****
eUID = 0; eGID = 65534;
capabilities: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37+ep
当我在子shell中输入命令时
# more /proc/24590/uid_map
显示:0 1000 1
# more /proc/24590/gid_map
不露声色
键eUID和eGID应为0,但我的eGID应为65534。我不知道为什么我的eGID=65534,而不是=0 gcc版本5.4.0 20160609(Ubuntu 5.4.0-6 ubuntu1~16.04.4) 英语不是我的母语;请原谅打字错误 #include need sudo apt install libcap dev#include need sudo apt install libcap dev
# more /proc/24590/gid_map