问题1: CVE-2023-29491
- Type: OS
- 涉及到的包:ncurses-dev,ncurses-libs,ncurses-terminfo-base
- 描述:当前系统安装的ncurses,存在漏洞,当被setuid应用程序使用时,允许本地用户通过在$HOME/中找到的终端数据库文件中的畸形数据触发与安全相关的内存损坏。或通过terminfo或TERM环境变量到达。
解决方案:
升级包到最新版本或者优化稳定版本,如果你和我一样是写dockerfile来进行升级,就需要根据镜像中存在的命令来执行升级
例如我的包是基于nodejs14版本,所以我使用apk命令来进行更新,代码如下:
FROM node:16.14.2-alpine as build
USER root
WORKDIR /app
COPY package.json .npmrc ./
RUN yarn install
COPY . ./
RUN yarn run build
FROM nginx:stable-alpine
COPY --from=build /app/dist/ /usr/share/nginx/html
# 下面这行就是解决方案
RUN apk upgrade ncurses-dev ncurses-libs ncurses-terminfo-base
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
问题2: (CIS_Docker_v1.2.0 - 4.1) Image should be created with a non-root user 或者遇到 /var/run/nginx.pid" failed (13: Permission denied)也一样可以采用此方案解决
- Type: CIS
- 描述:当前镜像是使用默认root用户创建的,为保证安全,应该用非root用户创建
解决过程遇到的一些阻碍和收获
调试准备
- 准备好dockerfile
- 在dockerfile所在项目目录下运行命令build
- 等待构建成功后,运行构建的镜像
可参考指令如下:
docker build -t web-test01:v1 .| tee web-test07.build.log
docker run -d -p 8890:80 web-test01:v1
作为一名前端,我遇到了这个问题,刚开始的思路就是去网上搜索答案尝试解决问题,在这个过程中,做了很多尝试,但是某些尝试没有起作用,也许是我的用法不对,所以我把它写下来,希望路过的小伙伴如果有理解为何有些写法不起作用的话,不吝赐教哇,如果有着急看最终解决方案的小伙伴请直接往下拉,最下面是最终解决方案
尝试1:创建非root用户,使用/etc/sudoers给非root用户添加权限,失败告终
/etc/sudoers 的简单介绍:
- sudo的权限控制可以在/etc/sudoers文件中查看到
- 如果想要控制某个用户(或某个组用户)只能执行root权限中的一部分命令, 或者允许某些用户使用sudo时不需要输入密码
- 格式一般都是 root ALL=(ALL) ALL
在dockerfile中我添加了如下代码,尝试了各种写法,均不起作用,请原谅我完全不懂这个东西,我今天晚上写完这篇文章就去学习一下linux基础操作,Ծ‸Ծ
# ...此处省略一些基础代码
RUN adduser -D appuser
# 写法1
RUN echo "appuser ALL=(ALL) ALL" >> /etc/sudoers
# 写法2
# RUN echo 'appuser ALL=(ALL:ALL) ALL' >> /etc/sudoers # ^^ # tab
# 写法3
# RUN echo "appuser ALL=(root) NOPASSWD:HOSTS,HOST" >> /etc/sudoers;
# 写法4
# RUN echo "appuser ALL=(ALL) NOPASSWD: /usr/sbin/reboot,/use/sbin/useradd,/use/sbin/userdel " >> /etc/sudoers
USER appuse
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
但是镜像build后,运行的时候还是会很多权限方面的报错,例如
2023/06/03 15:48:07 [emerg] 1#1: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
尝试2: 在容器中装sudo, 在docker容器中使用非root用户修改/etc/hosts文件,失败告终
# ...此处省略一些基础代码
RUN adduser -D appuser
USER appuse
# 下面的代码没有起作用,请路过的小伙伴不吝赐教,/app/setup/hosts 是ip hostname 对应关系的文件
RUN apk add sudo
RUN sudo chmod 777 /etc/hosts;
RUN cat /app/setup/hosts >> /etc/hosts;
RUN sudo /bin/chmod 644 /etc/hosts;
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
尝试3:先创建新用户,然后使用chown添加权限,部分失败告终
# ...此处省略一些基础代码
RUN adduser -D appuser
RUN chown -R appuser /var/cache
RUN chown -R appuser /etc/nginx
# 下面的/ var/run 代码没有起作用,请路过的小伙伴不吝赐教
RUN chown -R appuser /var/run
USER appuser
# RUN chmod -R 755 /etc/nginx
# RUN chmod -R 755 /var/cache
# RUN chmod -R 755 /var/run
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]
报错如下:
/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Configuration complete; ready for start up
2023/06/03 15:48:07 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
2023/06/03 15:48:07 [notice] 1#1: using the "epoll" event method
2023/06/03 15:48:07 [notice] 1#1: nginx/1.24.0
2023/06/03 15:48:07 [notice] 1#1: built by gcc 12.2.1 20220924 (Alpine 12.2.1_git20220924-r4)
2023/06/03 15:48:07 [notice] 1#1: OS: Linux 5.10.104-linuxkit
2023/06/03 15:48:07 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2023/06/03 15:48:07 [emerg] 1#1: open() "/var/run/nginx.pid" failed (13: Permission denied)
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
Search...
Stick to bottom
最终解决方案:
因为这个项目里有nginx,所以使用了nginx的自带用户,用户组来进行配置了权限,解决此问题
例如下面代码:
# ...此处省略一些基础代码
# 此处使用的是nginx自带的非root账号执行授权
RUN touch /var/run/nginx.pid \
# && chown -R nginx:nginx /app \
# && chmod -R 755 /app \
&& chown -R nginx:nginx /var/cache/nginx \
&& chown -R nginx:nginx /var/log/nginx \
&& chown -R nginx:nginx /etc/nginx/conf.d \
&& chown -R nginx:nginx /var/run/nginx.pid \
&& chown -R nginx:nginx /usr/share/nginx/html \
&& chown -R nginx:nginx /etc/nginx/nginx.conf
# 这部分代码是delete一些用不到的nginx包
RUN apk del nginx-module-image-filter \
&& apk del nginx-module-xslt \
&& apk del nginx-module-geoip \
&& apk del nginx-module-njs \
&& apk del curl
USER nginx
# 请注意,这里一般不要写80,非root用户容易没有权限绑定80端口
EXPOSE 8080
CMD ["nginx", "-g", "daemon off;"]
问题3:bind() to 0.0.0.0:80 failed (13: Permission denied)
XXXXXXXX pm2023/06/05 08:04:39 [warn] 1#1: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
XXXXXXXX pmnginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:2
Mon, Jun 5 2023 4:04:41 pm2023/06/05 08:04:39 [emerg] 1#1: bind() to 0.0.0.0:80 failed (13: Permission denied)
Mon, Jun 5 2023 4:04:41 pmnginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)
问题分析:
某些情况下,非Root用户不能绑定1024以下端口,否则会报错:没有权限绑定该端口
问题解决:
- 修改Dockerfile中的端口配置
- nginx.conf中的端口监听
- k8s.yml中的服务端口暴露配置
- containerPort配置
所有你项目中nginx绑定的都要修改一遍哦~~
代码举例:
问题4:持续更新中
小伙伴们,先写到这里啦,我们明天再见啦~~
大家要天天开心哦
欢迎大家指出文章需要改正之处~
学无止境,合作共赢
