阅读背景:

Docker容器的Dockerfile特权标志(由于Apache错误ulimit而需要)AWS

来源:互联网 

I would like to start a container with privileges. Manually I can do that directly by typing:

我想启动一个具有权限的容器。手动我可以直接输入:

sudo docker run -privileged name/image

But how can I generated a container from a Dockerfile with privileges, is there any command to do that in the dockerfile?

但是如何从具有权限的Dockerfile生成容器,是否有命令在dockerfile中执行此操作?

In my case I am doing a deployment in amazon, in case it can not be done from a Dockerfile can it be done from the Dockerrun.aws.json?

在我的情况下,我正在亚马逊进行部署,如果无法从Dockerfile完成,可以从Dockerrun.aws.json完成吗?

PS. To give some context to the question, I need privileges in the docker container to be able to change the ulimit because of apache.

PS。为了给出问题的一些上下文,我需要docker容器中的权限才能通过apache更改ulimit。

Edit:

I don't change it locally in the container because in Docker the ulimit of the container is the one of the host. That is why the change doesn't affect the container if I change it locally.

我不在容器中本地更改它,因为在Docker中容器的ulimit是主机之一。这就是为什么如果我在本地更改容器,更改不会影响容器。

1 个解决方案

#1


Running the container with elevated privileges probably raises all sorts of security and reliability issues.

使用提升的权限运行容器可能会引发各种安全性和可靠性问题。

I would suggest that rather than starting the whole Docker session with elevated privileges, which will potentially mean that everything run on it will have elevated privileges, instead you create a docker container with an changed number set for ulimit.

我建议不要以提升的权限启动整个Docker会话,这可能意味着在其上运行的所有内容都将具有提升的权限,而是创建一个为ulimit设置更改的数量的docker容器。

I am not an expert but the instructions for creating your own container look clear enough then sudo vi /etc/security/limits.conf within your new container, changing soft nofile and soft nproc, save and then export the new container seems the way to go. You can then run the new container with normal privilege levels.

我不是专家,但是创建自己的容器的说明看起来很清楚,然后sudo vi /etc/security/limits.conf在你的新容器中,更改软nofile和软nproc,保存然后导出新容器似乎是通往走。然后,您可以使用普通权限级别运行新容器。

The other option that seems to be used in many places is to run multiple container instances so as to avoid congestion issues.

似乎在许多地方使用的另一个选项是运行多个容器实例以避免拥塞问题。


分享到: