我有以下容器设置。

在裸机服务器上安装并运行了两个 Docker 守护程序。

1. Main Docker Daemon运行我的应用程序容器，将 80/443 暴露给外界。
2. Plugin Docker Daemon运行客户提供的一些容器，这些容器通过 80/443 与我的应用程序通信。

我想让客户访问Plugin Docker Daemon的 API (2376)，以便客户可以部署/启动/停止自己的容器。客户只能访问 API 而不能访问主机 (SSH)。

我目前面临的问题是，如果客户运行的容器执行不安全的操作，例如docker run -v /:/host/root Ubuntu rm -rf /host/root.

我的问题是如何防止Plugin Docker Daemon在外部挂载根目录/或任何其他目录/home/user/，

• 是否可以选择启动 Docker 守护进程/home/user/？
• 我可以使用一些 LSM（Linux 安全模块 SELinux/Apparmor）魔法来阻止 docker 守护进程挂载除用户 home 或 var/docker/libs 之外的部分或所有主机路径吗？
• 可以--userns-remap帮助我实现我的目标吗？
• 除了虚拟机，它们还有其他可用的选项吗？

服务器完全属于单个客户。所以安全或数据泄露不是我最关心的问题。我真正想要防止的是Plugin Daemon中的某个人正在做一些愚蠢的事情，这会影响我在Main Docker Daemon中运行的容器。我想保持精简并坚持仅使用 docker 的工作流程，并且不会为 VM 创建设置额外的工作流程。

问题

我在通过pam_sss.so（在 LXC 容器中，可能相关或不相关）对用户进行身份验证时遇到问题。

# doveadm auth login semenov
Password:
passdb: semenov auth failed
extra fields:
  user=semenov

# tail /var/log/dovecot.log
...
May 02 16:41:40 auth: Debug: auth client connected (pid=11327)
May 02 16:41:40 auth: Debug: client in: AUTH    1   PLAIN   service=doveadm resp=xxxxxxxxxxxxxx (previous base64 data may contain sensitive data)
May 02 16:41:40 auth-worker(11317): Debug: pam(semenov): lookup service=dovecot
May 02 16:41:40 auth-worker(11317): Debug: pam(semenov): #1/1 style=1 msg=Password:
May 02 16:41:40 auth-worker(11317): Info: pam(semenov): pam_authenticate() failed: Authentication service cannot retrieve authentication info
May 02 16:41:42 auth: Debug: client passdb out: FAIL    1   user=semenov

PAM 配置暂时简化到最低限度：

# cat /etc/pam.d/dovecot
auth requisite pam_sss.so
account requisite pam_sss.so
session requisite pam_permit.so
password requisite pam_sss.so

为 pamtester 运行 strace

要检查 PAM 是否配置正确，让我们看看会发生什么pamtester：

# strace -tt -s 2048 pamtester dovecot semenov authenticate
...
16:28:49.898190 getuid()                = 0
16:28:49.898216 getgid()                = 0
16:28:49.898242 stat("/var/lib/sss/pipes/private/pam", {st_mode=S_IFSOCK|0600, st_size=0, ...}) = 0
16:28:49.898276 fstat(-1, 0x7ffd51cb7140) = -1 EBADF (Bad file descriptor)
16:28:49.898304 socket(PF_LOCAL, SOCK_STREAM, 0) = 3
16:28:49.898335 fcntl(3, F_GETFL)       = 0x2 (flags O_RDWR)
16:28:49.898363 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
16:28:49.898389 fcntl(3, F_GETFD)       = 0
16:28:49.898421 fcntl(3, F_SETFD, FD_CLOEXEC) = 0
16:28:49.898449 connect(3, {sa_family=AF_LOCAL, sun_path="/var/lib/sss/pipes/private/pam"}, 110) = 0
16:28:49.898498 fstat(3, {st_mode=S_IFSOCK|0777, st_size=0, ...}) = 0
16:28:49.898537 poll([{fd=3, events=POLLOUT}], 1, 300000) = 1 ([{fd=3, revents=POLLOUT}])
16:28:49.898570 sendto(3, "\24\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0", 16, MSG_NOSIGNAL, NULL, 0) = 16
....
16:28:51.375595 socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
16:28:51.375624 connect(4, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = 0
16:28:51.375658 sendto(4, "<86>May  2 16:28:51 pamtester: pam_sss(dovecot:auth): authentication success; logname=semenov uid=0 euid=0 tty= ruser= rhost= user=semenov", 138, MSG_NOSIGNAL, NULL, 0) = 138
...
pamtester: successfully authenticated

事实：

• uid/gid 为0
• /var/lib/sss/pipes/private/pam打开正常
• /dev/log打开正常

为 doveadm 运行 strace

# doveadm auth login semenov

然后在另一个控制台中：

# strace -tt -s 2048 -p $(ps aufx|grep 'dovecot/auth -w'|grep -v grep|awk '{print $2}')
...
16:41:40.649304 getuid()                = 0
16:41:40.649331 getgid()                = 0
16:41:40.649358 stat("/var/lib/sss/pipes/private/pam", {st_mode=S_IFSOCK|0600, st_size=0, ...}) = 0
16:41:40.649391 fstat(-1, 0x7ffde94080e0) = -1 EBADF (Bad file descriptor)
16:41:40.649419 socket(PF_LOCAL, SOCK_STREAM, 0) = 7
16:41:40.649450 fcntl(7, F_GETFL)       = 0x2 (flags O_RDWR)
16:41:40.649478 fcntl(7, F_SETFL, O_RDWR|O_NONBLOCK) = 0
16:41:40.649505 fcntl(7, F_GETFD)       = 0
16:41:40.649532 fcntl(7, F_SETFD, FD_CLOEXEC) = 0
16:41:40.649559 connect(7, {sa_family=AF_LOCAL, sun_path="/var/lib/sss/pipes/private/pam"}, 110) = -1 EACCES (Permission denied)
16:41:40.649600 close(7)                = 0
16:41:40.649639 socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 7
16:41:40.649667 connect(7, {sa_family=AF_LOCAL, sun_path="/dev/log"}, 110) = -1 EACCES (Permission denied)
16:41:40.649706 close(7)                = 0
....
16:41:40.650284 socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT) = 7
16:41:40.650312 fcntl(7, F_SETFD, FD_CLOEXEC) = 0
16:41:40.650342 sendto(7, "\200\0\0\0L\4\5\0\2\0\0\0\0\0\0\0op=PAM:authentication acct=\"semenov\" exe=\"/usr/lib/dovecot/auth\" hostname=? addr=? terminal=dovecot res=failed\0\0", 128, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 128
16:41:40.650385 poll([{fd=7, events=POLLIN}], 1, 500) = 1 ([{fd=7, revents=POLLIN}])
16:41:40.650417 recvfrom(7, "$\0\0\0\2\0\0\0\2\0\0\0005,\0\0\0\0\0\0\200\0\0\0L\4\5\0\2\0\0\0\0\0\0\0", 8988, MSG_PEEK|MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36
16:41:40.650449 recvfrom(7, "$\0\0\0\2\0\0\0\2\0\0\0005,\0\0\0\0\0\0\200\0\0\0L\4\5\0\2\0\0\0\0\0\0\0", 8988, MSG_DONTWAIT, {sa_family=AF_NETLINK, pid=0, groups=00000000}, [12]) = 36
16:41:40.650486 close(7)                = 0
16:41:40.650519 write(2, "\1\00211317 pam(semenov): pam_authenticate() failed: Authentication service cannot retrieve authentication info\n", 108) = 108

事实：

• uid/gid 仍然是0，但是：
• 开幕/var/lib/sss/pipes/private/pam回报EACCES
• 开幕/dev/log回报EACCES

LXC 设置

一切都发生在一个无限制的 LXC 容器中：

# cat /usr/share/lxc/config/common.conf.d/999-my.conf
lxc.aa_profile = unconfined
lxc.cgroup.devices.allow = a
lxc.cap.drop =

在测试期间，这是主机上记录的内容：

May  2 16:41:40 pve kernel: [10218.310055] audit: type=1400 audit(1462185700.636:1342): apparmor="ALLOWED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/run/dovecot/auth-login" pid=18118 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=115
May  2 16:41:40 pve kernel: [10218.310067] audit: type=1400 audit(1462185700.636:1344): apparmor="ALLOWED" operation="file_perm" profile="/usr/lib/dovecot/auth" name="/run/dovecot/auth-login" pid=18118 comm="auth" requested_mask="r" denied_mask="r" fsuid=0 ouid=115
May  2 16:41:40 pve kernel: [10218.320050] audit: type=1400 audit(1462185700.644:1346): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="run/systemd/journal/dev-log" pid=18120 comm="auth" requested_mask="w" denied_mask="w" fsuid=0 ouid=0

这在容器上：

May  2 16:41:40 sys kernel: [10218.319942] audit: type=1400 audit(1462185700.644:1345): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="var/lib/sss/pipes/private/pam" pid=18120 comm="auth" requested_mask="wr" denied_mask="wr
" fsuid=0 ouid=0
May  2 16:41:40 sys kernel: [10218.320501] audit: type=1400 audit(1462185700.648:1347): apparmor="ALLOWED" operation="connect" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="var/lib/sss/pipes/private/pam" pid=18120 comm="auth" requested_mask="wr" denied_mask="wr
" fsuid=0 ouid=0
May  2 16:41:40 sys kernel: [10218.320599] audit: type=1400 audit(1462185700.648:1348): apparmor="ALLOWED" operation="sendmsg" info="Failed name lookup - disconnected path" error=-13 profile="/usr/lib/dovecot/auth" name="run/systemd/journal/dev-log" pid=18120 comm="auth" requested_mask="w" denied_mask="w" fs
uid=0 ouid=0

我已经定义了以下配置文件

#include <tunables/global>

/usr/bin/convert.im6 {
  #include <abstractions/base>

  /usr/bin/convert.im6 mr,

  /** mrwlkix,
  set rlimit as <= 8G,
}

并通过aa-enforce /usr/bin/convert.
但是，这个二进制文件的新启动进程根本不会出现aa-status。

可能是因为它们是从 开始的nice -n +19 convert ...吗？
或者是因为另一个具有已定义配置文件的进程正在启动它们？

出了什么问题？如何让 AppArmor 强制执行这些流程？