普通用户执行docker命令,用不用sudo由你决定
当我们用root身份在服务器部署docker后,如果想用普通用户操作docker应该如何做呢?
[root@shanghai-aliyun ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
423435db3a3f nginx "/docker-entrypoint.…" 5 weeks ago Up 3 weeks 0.0.0.0:180->80/tcp nginx_nginx_1
9edbbba02a8b fluentd_fluentd "/bin/entrypoint.sh …" 5 weeks ago Up 5 weeks 5140/tcp, 0.0.0.0:24224->24224/tcp, 0.0.0.0:24224->24224/udp fluentd_fluentd_1
[root@shanghai-aliyun ~]#
# 创建普通用户cntsp
[root@shanghai-aliyun ~]# useradd cntsp
# 给普通用户设置密码
[root@shanghai-aliyun ~]# passwd cntsp
# 切换普通用户身份
[root@shanghai-aliyun ~]# su cntsp
[cntsp@shanghai-aliyun ~]$ pwd
/home/cntsp
[cntsp@shanghai-aliyun ~]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/json: dial unix /var/run/docker.sock: connect: permission denied
# 上面说当尝试链接docker守护进程的socket时,获取权限被拒绝# 下面我们在前面加上sudo命令
# Linux sudo命令以系统管理者的身份执行指令,也就是说,经由 sudo 所执行的指令就好像是 root 亲自执行
[cntsp@shanghai-aliyun ~]$ sudo docker ps# 我们相信你已经从当地的系统管理员那里得到了通常的说教
# 通常可以归结为这三件事
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:#1) Respect the privacy of others.#2) Think before you type.#3) With great power comes great responsibility.# 尊重他人隐私# 三思而后行# 权限越大责任越大[sudo] password for cntsp:
cntsp is not in the sudoers file. This incident will be reported.
# cntsp 用户不在 sudoers 文件中,这一事件将被报道
# 貌似加上sudo, docker命令倒是可以执行了,但是没有正确返回,是因为该用户cntsp这时候又没有了sudo权限,根据命令行返回的提示,是因为普通用户cntsp不在/etc/sudoers文件中,那么我们就要好好摆姿摆子这个文件了
分析/etc/sudoers文件
[root@shanghai-aliyun ~]# ls -lh /etc/sudoers
-r--r-----. 1 root root 4.3K Nov 28 2019 /etc/sudoers
# 默认情况下是一个只读文件,并且其他人连读的权限也木有
[root@shanghai-aliyun ~]# cat /etc/sudoers
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.
#注释:sudoers 允许特别用户去作为root用户运行各种命令,而不需要root密码
##
## Examples are provided at the bottom of the file for collections
## of related commands, which can then be delegated out to particular
## users or groups.
# 注释:文件底部提供了相关命令集合的示例,这些命令可以被委托给特定的用户或者组
##
## This file must be edited with the 'visudo' command.
# 这个文件必须被 visudo 命令编辑 # visudo -f /etc/sudoers## Host Aliases
## Groups of machines. You may prefer to use hostnames (perhaps using
## wildcards for entire domains) or IP addresses instead.
# Host_Alias FILESERVERS = fs1, fs2
# Host_Alias MAILSERVERS = smtp, smtp2## User Aliases
## These aren't often necessary, as you can use regular groups
## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
## rather than USERALIAS
# User_Alias ADMINS = jsmith, mikem## Command Aliases
## These are groups of related commands...## Networking
# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool## Installation and management of software
# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum## Services
# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable## Updating the locate database
# Cmnd_Alias LOCATE = /usr/bin/updatedb## Storage
# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount## Delegating permissions
# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp ## Processes
# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall## Drivers
# Cmnd_Alias DRIVERS = /sbin/modprobe# Defaults specification#
# Refuse to run if unable to disable echo on the tty.
#
Defaults !visiblepw#
# Preserving HOME has security implications since many programs
# use it when searching for configuration files. Note that HOME
# is already set when the the env_reset option is enabled, so
# this option is only effective for configurations where either
# env_reset is disabled or HOME is present in the env_keep list.
#
Defaults always_set_home
Defaults match_group_by_gid# Prior to version 1.8.15, groups listed in sudoers that were not
# found in the system group database were passed to the group
# plugin, if any. Starting with 1.8.15, only groups of the form
# %:group are resolved via the group plugin by default.
# We enable always_query_group_plugin to restore old behavior.
# Disable this option for new behavior.
Defaults always_query_group_pluginDefaults env_reset
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"#
# Adding HOME to env_keep may enable a user to run unrestricted
# commands via sudo.
#
# Defaults env_keep += "HOME"Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin## Next comes the main part: which users can run what software on
## which machines (the sudoers file can be shared between multiple
## systems).
## Syntax:
##
## user MACHINE=COMMANDS
##
## The COMMANDS section may have other options added to it.
##
## Allow root to run any commands anywhere
root ALL=(ALL) ALL
# 上面root运行任何命令在任何地方
## Allows members of the 'sys' group to run networking, software,
## service management apps and more.
# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS## Allows people in group wheel to run all commands
%wheel ALL=(ALL) ALL
# 允许wheel组内的成员运行所有命令## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# 去掉注释就是允许wheel组内的成员运行所有命令而不需要密码
## Allows members of the users group to mount and unmount the
## cdrom as root
# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom## Allows members of the users group to shutdown this system
# %users localhost=/sbin/shutdown -h now## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment)
#includedir /etc/sudoers.d
下面我们先把cntsp用户加入 wheel 组内,在执行 sudo docker ps 命令
[root@shanghai-aliyun ~]# id cntsp
uid=1003(cntsp) gid=1003(cntsp) groups=1003(cntsp)
[root@shanghai-aliyun ~]# gpasswd -a cntsp wheel
Adding user cntsp to group wheel
[root@shanghai-aliyun ~]#
[root@shanghai-aliyun ~]#
[root@shanghai-aliyun ~]# id cntsp
uid=1003(cntsp) gid=1003(cntsp) groups=1003(cntsp),10(wheel)
[root@shanghai-aliyun ~]#
[root@shanghai-aliyun ~]# su cntsp
[cntsp@shanghai-aliyun root]$
[cntsp@shanghai-aliyun root]$
[cntsp@shanghai-aliyun root]$ pwd
/root
[cntsp@shanghai-aliyun root]$ cd
[cntsp@shanghai-aliyun ~]$ pwd
/home/cntsp
[cntsp@shanghai-aliyun ~]$ sudo docker ps
[sudo] password for cntsp: # 这里需要输入cntsp用户的密码
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
423435db3a3f nginx "/docker-entrypoint.…" 5 weeks ago Up 3 weeks 0.0.0.0:180->80/tcp nginx_nginx_1
9edbbba02a8b fluentd_fluentd "/bin/entrypoint.sh …" 5 weeks ago Up 5 weeks 5140/tcp, 0.0.0.0:24224->24224/tcp, 0.0.0.0:24224->24224/udp fluentd_fluentd_1# 下面我们先切换 root身份 visudo 命令对 /etc/sudoers 文件进行编辑
# 去掉注释 # %wheel ALL=(ALL) NOPASSWD: ALL[root@shanghai-aliyun ~]# visudo -f /etc/sudoers
[root@shanghai-aliyun ~]# # 去掉注释后,我们切换cntsp 用户再次执行 sudo docker ps 命令
[root@shanghai-aliyun ~]# su cntsp
[cntsp@shanghai-aliyun root]$ whoami
cntsp
[cntsp@shanghai-aliyun root]$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
423435db3a3f nginx "/docker-entrypoint.…" 5 weeks ago Up 3 weeks 0.0.0.0:180->80/tcp nginx_nginx_1
9edbbba02a8b fluentd_fluentd "/bin/entrypoint.sh …" 5 weeks ago Up 5 weeks 5140/tcp, 0.0.0.0:24224->24224/tcp, 0.0.0.0:24224->24224/udp fluentd_fluentd_1
# 上面命令无需cntsp用户的密码即可执行显示
[cntsp@shanghai-aliyun root]$ docker ps
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.39/containers/json: dial unix /var/run/docker.sock: connect: permission denied
# 尼玛,我懒,我漏输入sudo
不好意思,我特懒,我希望普通用户执行docker命令的时候,不要多敲这个sudo命令,想直接 docker ps 就给我正常返回,我们看到的是 /var/run/docker.sock 链接权限拒绝
[cntsp@shanghai-aliyun root]$ ls -lh /var/run/docker.sock
srw-rw---- 1 root docker 0 Jul 14 23:34 /var/run/docker.sock
# 我们把 cntsp 用户加入docker组,先查看有没有docker组
[root@shanghai-aliyun ~]# cat /etc/group |grep docker
dockerroot:x:993:
docker:x:992:
[root@shanghai-aliyun ~]# id cntsp
uid=1003(cntsp) gid=1003(cntsp) groups=1003(cntsp),10(wheel)
[root@shanghai-aliyun ~]# gpasswd -a cntsp docker
Adding user cntsp to group docker
[root@shanghai-aliyun ~]# id cntsp
uid=1003(cntsp) gid=1003(cntsp) groups=1003(cntsp),10(wheel),992(docker)
# 把用户cntsp加入docker组,同时保留原来所在组
# 再次切换为cntsp用户,执行 docker ps
[root@shanghai-aliyun ~]# su cntsp
[cntsp@shanghai-aliyun root]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
423435db3a3f nginx "/docker-entrypoint.…" 5 weeks ago Up 3 weeks 0.0.0.0:180->80/tcp nginx_nginx_1
9edbbba02a8b fluentd_fluentd "/bin/entrypoint.sh …" 5 weeks ago Up 5 weeks 5140/tcp, 0.0.0.0:24224->24224/tcp, 0.0.0.0:24224->24224/udp fluentd_fluentd_1
# 不用sudo命令,docker ps 正常返回了
`
普通用户执行docker命令,用不用sudo由你决定相关推荐
- 设置普通用户执行docker命令,执行docker命令无需输入密码或者切换root用户
每次执行docker命令都要输入密码或者切换root用户,非常不方便,尤其是在shell脚本中就更麻烦了,一起来解决这个问题: 1. 创建名为docker的组,如果之前已经有该组就会提示已存在: su ...
- Linux普通用户无法执行docker命令的解决方法
问题描述 当在Linux系统安装完docker之后,直接使用普通用户执行docker命令,会出现没有权限的错误. 例如执行下面的命令: docker pull ubuntu 会出现 Using def ...
- linux用户的vim命令无效,Linux SUDO Bug可让您以root用户身份运行命令,大多数命令不受影响...
已发现Linux sudo命令中的漏洞,该漏洞可能允许非特权用户以root用户身份执行命令.幸运的是,此漏洞仅在非标准配置中有效,并且大多数Linux服务器不受影响. 在获得此漏洞之前,重要的是要掌握 ...
- 关于docker中执行docker命令的实践
最近在制作给kubernetes jenkins plugin调用的jenkins slave(默认情况下,kubernetes jenkins插件使用的是jenkinsci/jnlp-slave)容 ...
- shell执行docker命令卡挂住_Docker官方文档翻译4
第四篇:Swarms 准备工作 安装Docker版本1.13或更高版本. 安装Docker compose. 安装docker machine 阅读第1 2 3部分的内容. 确保你已发布并推送到注册仓 ...
- docker命令每次需要sudo操作解决方案
操作步骤如下 1.创建docker组:sudo groupadd docker 2.将当前用户加入docker组:sudo gpasswd -a ${USER} docker 3.重启服务:sudo ...
- 执行docker命令,出现Cannot connect to the Docker daemon at unix:///var/run/docker.sock.
执行docker ps命令,出现:Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker d ...
- 执行docker命令,报错Segmentation fault
执行任何docker命令,都会报错Segmentation fault.之前使用docker的时候并没有出现过类似的错误.在经过排查后,发现可用内存仅为110M,猜测是内存不够用了,所以执行了清理内存 ...
- 普通用户使用docker命令
由于docker 都是root权限启动的容器, 要给研发 登录权限查看log,对于普通用,使用docker是会出现报错, 使用 gpasswd 命令把用户加入到docker组中 gpasswd -a ...
最新文章
- 病毒周报(071029至071104)
- java优先队列的入队函数,算法与数据结构番外(1):优先队列
- (013)java后台开发之Mac系统安装和配置tomcat步骤详解
- Imageloader1-总体简介
- 中台之上(十五):被忽视的产品目录
- ubuntu下面的java一键运行脚本
- 前端学习(2688):重读vue电商网站9之el-menu 默认会有一个 border-right
- 云栖日报丨收购中天微,阿里芯了解一下!
- 中转换成list集合_Java集合、数组与泛型中的几个陷阱,你掉进了几个?
- 为什么我建议你这样实现MySQL分页
- tornado(五)
- 基于51单片机的交通灯设计
- ubuntu18.04卸载Anaconda3
- 如果讲不明白Spring Cloud核心组件,那我就白编故事了
- S-CMS企业建站系统
- You may need an appropriate loader to handle this file type, currently no loaders are configured to
- html5 下一页的代码,jsp实现上一页下一页翻页功能(示例代码)
- phpadmin添加外键索引
- 彩虹Ds网手机商城系统模板源码
- owasp_我的Google夏天的owasp 2020代码之旅
热门文章
- smtp在线发送邮件_基于树莓派3B,利用爬虫、SMTP和发送邮件amp;amp;(爬取墨迹天气预报信息)...
- 手机恢复出厂设置后一直显示无服务器,手机恢复出厂设置后开不了机怎么办【图文教程】...
- 实用的Dock栏快速启动工具:uDock for Mac
- 音乐主页html5模板,Music音乐演唱网站模板
- 恩智浦率先推出超宽带Doherty放大器
- jython mysql_Jython中链接Oracle数据库
- 手把手教你读财报----银行业---第八课
- 用Python分析许嵩的歌,带你追忆青春时的懵懂
- GIS的云计算解决方案
- c语言水仙花数while程序,水仙花数--C语言,for循环,while 循环