只读用户reader执行部分docker命令
1. 概述
当一个普通用户(我们假设是只读用户reader)执行docker ps时,会报以下异常:
1
2
3
| [reader@nexus ~]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json: dial unix /var/run/docker.sock: connect: permission denied
[reader@nexus ~]$
|
docker进程使用Unix Socket而不是TCP端口。而默认情况下,Unix socket属于root用户,需要root权限才能访问。可通过以下命令可以确认:
1
2
3
4
5
6
7
8
9
10
11
12
| [root@nexus ~]# ls -lah /var/run/docker.sock
srw-rw---- 1 root docker 0 Jan 29 2024 /var/run/docker.sock
[root@nexus ~]# stat /var/run/docker.sock
File: ‘/var/run/docker.sock’
Size: 0 Blocks: 0 IO Block: 4096 socket
Device: 14h/20d Inode: 279557849 Links: 1
Access: (0660/srw-rw----) Uid: ( 0/ root) Gid: ( 991/ docker)
Access: 2025-02-23 22:29:56.307183105 +0800
Modify: 2024-01-29 20:42:31.572778347 +0800
Change: 2024-01-29 20:42:31.594778249 +0800
Birth: -
[root@nexus ~]#
|
可以看到,root用户和docker组可以对其进行操作。
2. 组权限配置
方案1就是将reader直接加入到docker组中,这个时候reader就可以执行所有docker相关命令:
1
2
| ## 将用户reader加入到docker组中
gpasswd -a reader docker
|
实际执行校验:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| ## 将用户reader加入到docker组中
[root@nexus ~]# gpasswd -a reader docker
Adding user reader to group docker
## 查看reader用户的id信息,可以看到已经包含在docker组中
[root@nexus ~]# id reader
uid=1003(reader) gid=1003(reader) groups=1003(reader),991(docker)
## 切换到reader只读账号下
[root@nexus ~]# su - reader
Last login: Sun Feb 23 22:38:55 CST 2025 on pts/0
## 此时可以执行docker相关命令
[reader@nexus ~]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8b931229efd4 sonatype/nexus3:3.59.0 "/opt/sonatype/nexus…" 13 months ago Up 13 months 0.0.0.0:8001-8003->8001-8003/tcp, 0.0.0.0:8081->8081/tcp nexus
[reader@nexus ~]$ docker logs --tail 10 nexus
2025-02-23 22:10:19,179+0800 INFO [SessionValidationThread-1] *UNKNOWN org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Validating all active sessions...
2025-02-23 22:10:19,180+0800 INFO [SessionValidationThread-1] *UNKNOWN org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Finished session validation. No sessions were stopped.
2025-02-23 22:20:00,002+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change WAITING -> RUNNING
2025-02-23 22:20:00,003+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change RUNNING -> WAITING (OK)
2025-02-23 22:30:00,002+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change WAITING -> RUNNING
2025-02-23 22:30:00,019+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change RUNNING -> WAITING (OK)
2025-02-23 22:40:00,002+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change WAITING -> RUNNING
2025-02-23 22:40:00,003+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change RUNNING -> WAITING (OK)
2025-02-23 22:50:00,002+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change WAITING -> RUNNING
2025-02-23 22:50:00,003+0800 INFO [quartz-10-thread-19] *SYSTEM org.sonatype.nexus.quartz.internal.task.QuartzTaskInfo - Task 'Storage facet cleanup' [repository.storage-facet-cleanup] state change RUNNING -> WAITING (OK)
[reader@nexus ~]$
|
