如何在Docker内部替换lsof(本机,不是基于LXC)


16

我有点困惑,因为在Docker容器lsof -i内没有任何输出。

示例(来自容器内部的所有命令/输出):

[1] root@ec016481cf5f:/# lsof -i
[1] root@ec016481cf5f:/# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -

另请注意,不会显示PID或程序名称netstatfuser还给出了一些令人困惑的输出,并且也无法精确定位PID。

谁能对此有所启示?

  • 我该如何替代lsof -i(也要查看进程名称!)
  • 为什么产量netstat也会下降?

注意:容器运行"ExecDriver": "native-0.1",这是Docker自己的执行层,而不是LXC。


[1] root@ec016481cf5f:/# fuser -a4n tcp 22
Cannot stat file /proc/1/fd/0: Permission denied
Cannot stat file /proc/1/fd/1: Permission denied
Cannot stat file /proc/1/fd/2: Permission denied
Cannot stat file /proc/1/fd/3: Permission denied
Cannot stat file /proc/1/fd/255: Permission denied
Cannot stat file /proc/6377/fd/0: Permission denied
Cannot stat file /proc/6377/fd/1: Permission denied
Cannot stat file /proc/6377/fd/2: Permission denied
Cannot stat file /proc/6377/fd/3: Permission denied
Cannot stat file /proc/6377/fd/4: Permission denied
22/tcp:

(我没有被迷住Permission denied,因为那个数字。令我困惑的是。之后的空PID列表22/tcp。)


# lsof|awk '$1 ~ /^sshd/ && $3 ~ /root/ {print}'
sshd    6377      root  cwd   unknown                        /proc/6377/cwd (readlink: Permission denied)
sshd    6377      root  rtd   unknown                        /proc/6377/root (readlink: Permission denied)
sshd    6377      root  txt   unknown                        /proc/6377/exe (readlink: Permission denied)
sshd    6377      root    0   unknown                        /proc/6377/fd/0 (readlink: Permission denied)
sshd    6377      root    1   unknown                        /proc/6377/fd/1 (readlink: Permission denied)
sshd    6377      root    2   unknown                        /proc/6377/fd/2 (readlink: Permission denied)
sshd    6377      root    3   unknown                        /proc/6377/fd/3 (readlink: Permission denied)
sshd    6377      root    4   unknown                        /proc/6377/fd/4 (readlink: Permission denied)
sshd    6442      root  cwd   unknown                        /proc/6442/cwd (readlink: Permission denied)
sshd    6442      root  rtd   unknown                        /proc/6442/root (readlink: Permission denied)
sshd    6442      root  txt   unknown                        /proc/6442/exe (readlink: Permission denied)
sshd    6442      root    0   unknown                        /proc/6442/fd/0 (readlink: Permission denied)
sshd    6442      root    1   unknown                        /proc/6442/fd/1 (readlink: Permission denied)
sshd    6442      root    2   unknown                        /proc/6442/fd/2 (readlink: Permission denied)
sshd    6442      root    3   unknown                        /proc/6442/fd/3 (readlink: Permission denied)
sshd    6442      root    4   unknown                        /proc/6442/fd/4 (readlink: Permission denied)
sshd    6442      root    5   unknown                        /proc/6442/fd/5 (readlink: Permission denied)

连接的用户还有更多输出,也可以正确识别出输出,仅此而已。显然不可能lsof -i确定某个“对象”是哪种类型(对Internet套接字的限制)。


什么是一个lsof报告?相同?
slm

@slm:精彩询问!它不会使它空着。相反,它显示了一大堆(也sshd相关的)行,其中某些行可能是TCP套接字,例如TYPE unknown。特有。将输出附加到我的问题。
0xC0000022L14年

如果您运行strace -s 2000 -o lsof.log lsof -i它,则可能会给您一些进一步的洞察力,以了解正在被阻止的内容。
slm

1
@slm:好点。谢谢你的提醒。不过,明天我会做。strace本身也可能限制在容器中。令人兴奋的新东西要学习。感谢您的弹跳创意。不过必须打床上。
0xC0000022L 2014年

仅供参考:这也破坏了netstat -lp。这绝对是由装甲造成的。
艾伦·罗伯逊

Answers:


7

(注意:尚不清楚提问者如何进入docker容器。我假设 docker exec -it CONTAINER bash已使用过。)

在使用基于centos:7docker版本的docker镜像时遇到了这个问题,为了解决这个问题1.9.0,我只运行了:

docker exec --privileged -it CONTAINER bash

请注意包含--privileged

我对此要求的原因的幼稚理解:docker似乎在努力使容器更加“安全”,如此处所述


4

哈,剧情变厚了。如果有人有更好的答案,请写下来,如果可以接受,我会接受。但是这里有明显的原因。我忽略主机上的日志文件有多疏忽:

Jun 12 01:29:46 hostmachine kernel: [140235.718807] audit_printk_skb: 183 callbacks suppressed
Jun 12 01:29:46 hostmachine kernel: [140235.718810] type=1400 audit(1402536586.521:477): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="trace" denied_mask="trace" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.718860] type=1400 audit(1402536586.521:478): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.718886] type=1400 audit(1402536586.521:479): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.718899] type=1400 audit(1402536586.521:480): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.718921] type=1400 audit(1402536586.521:481): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.718954] type=1400 audit(1402536586.521:482): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.719001] type=1400 audit(1402536586.521:483): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.719043] type=1400 audit(1402536586.521:484): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.719086] type=1400 audit(1402536586.521:485): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"
Jun 12 01:29:46 hostmachine kernel: [140235.719126] type=1400 audit(1402536586.521:486): apparmor="DENIED" operation="ptrace" profile="docker-default" pid=3782 comm="lsof" requested_mask="read" denied_mask="read" peer="docker-default"

因此,尽管我必须找出如何说服它在不损害主机/容器安全性的情况下允许它运行,或者查看在不损害安全性的情况下它是否有可能,但apparmor似乎是罪魁祸首。




2

我也发现了这个问题。我禁用后问题已经apparmordocker

$ sudo aa-complain <docker apparmor profile name, "docker-default" on ubuntu>

参考网址:https : //help.ubuntu.com/community/AppArmor


3
您可能需要考虑在此答案中添加更多说明(例如,做什么aa-complain,或一些支持此解决方案的文档)。
HalosGhost

@HalosGhost抱歉,我不太熟悉apparmor,我只是在Google上搜索并找到了禁用它的方法。换句话说,我不知道为什么它起作用或为什么不起作用。我的主机操作系统是Ubuntu 14.04,因此我搜索了“ ubuntu apparmor”并找到了help.ubuntu.com/community/AppArmor。希望对您有帮助。
menghan 2014年

2
我没有这个问题;我关心的是您答案的质量以及对OP的帮助(和信息性)。
HalosGhost

@HalosGhost感谢您的帮助,我重新编辑了我的答案。
menghan 2014年

在Ubuntu 14.04上,命令为sudo aa-complain /etc/apparmor.d/docker。基本上,它会禁用docker进程的应用防护,这意味着docker可以读取系统上的任何文件。以前,它只能与配置文件中允许的文件一起使用。更好的解决方案可能是更改允许访问/ proc / pid / fd文件的应用防护规则。
Martins Balodis
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.