🖊️
K8s-Testing
  • 从docker入门到k8s部署
  • 设备准备
  • 安装Docker
  • 拉取镜像和运行测试
    • 入门操作测试1
    • 入门操作测试2
    • 登录docker hub并上传镜像
    • 服务器间镜像文件快速复制
    • MySQL镜像安装和测试
    • 容器网络入门操作1
    • 容器网络入门操作2
    • 创建docker network
    • Wordpress+Mysql+nginx反向代理安装
  • Docker编排模板测试
    • Docker Compose入门介绍
    • 通过docker compose安装Wordpress
    • 通过docker compose安装wordpress:5-php7.2-fpm
  • Dockerfile测试
    • Dockerfile入门
    • Dockerfile多阶段构建
  • Prometheus和Grafana的单机编排
    • 通过nginx-prometheus-exporter监控nginx指标
    • 通过Grafana展示nginx容器指标
    • 通过docker compose部署Grafana和Prometheus
  • EFK单机编排
    • Filebeat收集nginx容器日志并同步到Elastic Cloud
    • 通过docker部署Elasticsearch并定制Kibana的Dashboard
    • 通过docker compose部署EFK
  • Kubernetes基础
    • Kubernetes基础知识
    • 通过Kubeadm部署K8s集群
    • K8s基本操作命令
    • k8s滚动发布
    • 通过K8s部署wordpress:5-php7.2-fpm
    • Ingress安装
Powered by GitBook
On this page

Was this helpful?

  1. 拉取镜像和运行测试

入门操作测试2

能力机制(Capability)是 Linux 内核一个强大的特性,可以提供细粒度的权限访问控制。

Previous入门操作测试1Next登录docker hub并上传镜像

Last updated 5 years ago

Was this helpful?

测试2:

以entrypoint指定命令运行busybox容器:

sudo docker run --name bbox2 --rm -it --entrypoint /bin/sh busybox

这里添加的--rm 参数,是实现退出这个容器后马上把它删除

默认情况下,容器被严格限制只允许使用内核的一部分能力,根据实际情况,可以使用参数--cap-add和 --cap-drop来控制容器的能力。例如:

sudo docker run --name bbox2 --rm -it --cap-add NET_ADMIN --cap-drop CHOWN --entrypoint /bin/sh busybox

更多用于docker的capability key如下表:(来自)

Capability Key

Capability Description

SETPCAP

Modify process capabilities.

MKNOD

Create special files using mknod(2).

AUDIT_WRITE

Write records to kernel auditing log.

CHOWN

Make arbitrary changes to file UIDs and GIDs (see chown(2)).

NET_RAW

Use RAW and PACKET sockets.

DAC_OVERRIDE

Bypass file read, write, and execute permission checks.

FOWNER

Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.

FSETID

Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.

KILL

Bypass permission checks for sending signals.

SETGID

Make arbitrary manipulations of process GIDs and supplementary GID list.

SETUID

Make arbitrary manipulations of process UIDs.

NET_BIND_SERVICE

Bind a socket to internet domain privileged ports (port numbers less than 1024).

SYS_CHROOT

Use chroot(2), change root directory.

SETFCAP

Set file capabilities.

Capability Key

Capability Description

SYS_MODULE

Load and unload kernel modules.

SYS_RAWIO

Perform I/O port operations (iopl(2) and ioperm(2)).

SYS_PACCT

Use acct(2), switch process accounting on or off.

SYS_ADMIN

Perform a range of system administration operations.

SYS_NICE

Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.

SYS_RESOURCE

Override resource Limits.

SYS_TIME

Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.

SYS_TTY_CONFIG

Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.

AUDIT_CONTROL

Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.

MAC_ADMIN

Allow MAC configuration or state changes. Implemented for the Smack LSM.

MAC_OVERRIDE

Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).

NET_ADMIN

Perform various network-related operations.

SYSLOG

Perform privileged syslog(2) operations.

DAC_READ_SEARCH

Bypass file read permission checks and directory read and execute permission checks.

LINUX_IMMUTABLE

Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.

NET_BROADCAST

Make socket broadcasts, and listen to multicasts.

IPC_LOCK

Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).

IPC_OWNER

Bypass permission checks for operations on System V IPC objects.

SYS_PTRACE

Trace arbitrary processes using ptrace(2).

SYS_BOOT

Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.

LEASE

Establish leases on arbitrary files (see fcntl(2)).

WAKE_ALARM

Trigger something that will wake up the system.

BLOCK_SUSPEND

Employ features that can block system suspend.

更多关于Linux Capability的知识点,可以访问这个网页:

https://docs.docker.com/engine/reference/run/
http://man7.org/linux/man-pages/man7/capabilities.7.html