Docker 中的旋钮

Mandos in Docker

我尝试在 Docker 容器中设置 Mandos,但因 dbus 错误而失败。可以 运行 没有 dbus 的服务器,但是 mandos-ctl 和 mandos-monitor 需要 dbus 到 运行.

我的Docker文件

FROM ubuntu:16.04
RUN locale-gen de_DE.UTF-8
ENV TERM=xterm
RUN apt-get update \
    && apt-get install -y mandos \
        fping \
        dbus \
    && rm -rf /var/lib/apt/lists/*

构建它:docker build -t mandos-server .

如果我挂载 /var/run/dbus 并启动容器: docker run -v /dev/log:/dev/log -v /var/run/dbus:/var/run/dbus -it mandos-server bash 并开始 mandos --debug 我收到以下错误:

2016-06-16 15:26:30,278 root [11]: DEBUG: Did setuid/setgid to 108:111
2016-06-16 15:26:30,280 root [11]: ERROR: Disabling D-Bus:
Traceback (most recent call last):
  File "/usr/sbin/mandos", line 3009, in main
    do_not_queue=True)
  File "/usr/lib/python2.7/dist-packages/dbus/service.py", line 131, in __new__
    retval = bus.request_name(name, name_flags)
  File "/usr/lib/python2.7/dist-packages/dbus/bus.py", line 303, in request_name
    'su', (name, flags))
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.AccessDenied: Connection ":1.362" is not allowed to own the service "se.recompile.Mandos" due to security policies in the configuration file

二审: 在不安装 dbus 的情况下启动容器 docker run -v /dev/log:/dev/log -it mandos-server bash 并手动启动 dbus: /etc/init.d/dbus start * Starting system message bus dbus [ OK ]

mandos --debug 导致以下错误:

2016-06-16 15:36:38,338 root [40]: DEBUG: Did setuid/setgid to 108:111
2016-06-16 15:36:38,353 root [40]: WARNING: Could not load persistent state: No such file or directory
2016-06-16 15:36:38,359 root [40]: WARNING: No clients defined
2016-06-16 15:36:38,361 root [40]: INFO: Now listening on address '::', port 39145, flowinfo 0, scope_id 0
2016-06-16 15:36:38,363 dbus.proxies [40]: ERROR: Introspect error on org.freedesktop.Avahi:/: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user

2016-06-16 15:36:38,363 dbus.proxies [40]: DEBUG: Executing introspect queue due to error
2016-06-16 15:36:38,363 root [40]: CRITICAL: D-Bus Exception
Traceback (most recent call last):
  File "/usr/sbin/mandos", line 3415, in main
    service.activate()
  File "/usr/sbin/mandos", line 470, in activate
    self.server_state_changed(self.server.GetState())
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 70, in __call__
    return self._proxy_method(*args, **keywords)
  File "/usr/lib/python2.7/dist-packages/dbus/proxies.py", line 145, in __call__
    **keywords)
  File "/usr/lib/python2.7/dist-packages/dbus/connection.py", line 651, in call_blocking
    message, timeout)
DBusException: org.freedesktop.DBus.Error.Spawn.FileInvalid: Cannot do system-bus activation with no user

知道出了什么问题吗?也许有解决方案?

该错误消息(在那一行)并不是指 Mandos 对 D-Bus 的使用可以由 mandos-ctlmandos-monitor 控制——它指的是 Mandos 的使用D-Bus 与 Avahi 通信,以要求 Avahi 宣布 Mandos 的 Zeroconf 服务。您可以通过使用 --no-zeroconf 选项、 来避免发布 Zercoconf 服务(但请注意 Mandos 客户端默认使用 Zeroconf 来查找服务器),您可以确保Mandos 能够从 Docker 容器内部与 Avahi 通信。

Docker Plex 提供以下说明来解决类似的问题:

Secure method

NOTE: due to some problems inside Plex, it appears not to know it's local IP address inside Docker subnet, avoiding the local discovery to work. If you really want to use this feature, look below for the insecure method.

Avahi daemon is commonly used to help your computers to find the services provided by a server.

Avahi isn't built into this Docker image because, due to Docker's networking limitations, Avahi can't spread it's messages to announce the services out of the Docker virtual network.

If you want to enable this feature, you can install Avahi daemon in your host following this steps (Ubuntu version):

  • Install avahi-daemon: run sudo apt-get install avahi-daemon avahi-utils
  • Copy the file from avahi/nsswitch.conf to /etc/nsswitch.conf
  • Copy the service description file from avahi/plex.service to /etc/avahi/services/plex.service
  • Restart Avahi's daemon: sudo /etc/init.d/avahi-daemon restart

But why you need to install this on your host and not in the container? Because if you don't do it this way, the discovery message won't be able to reach your computers.

What will I get with this approach?: The service will be announced on the network, but you will have to login with your account to detect your server. Also, all the streaming you receive is going to be reduced as if you are in an external network.

虽然这可能是正确的想法,但我无法在 Mandos 中找到足够的相似之处来成功完成该过程。特别是,我没有在任何安装目录中找到 mandos.service (或类似的)。我还会提请注意声明 The service will be announced on the network, but you will have to login with your account to detect your server. 我不清楚这对 Mandos 是否是致命的。

我不知道怎么了...但是我对此 post 的回答被删除了... 这是完整的解决方案:

Docker 文件:

FROM ubuntu:14.04

RUN apt-get update \
    && apt-get install -y supervisor \
        mandos \
        fping \
        rsyslog \
        dbus \
        avahi-daemon \
        avahi-utils \
        libnss-mdns \
    && mkdir -p /var/log/supervisor \
    && mkdir -p /var/run/rsyslog \
    && mkdir -p /var/run/dbus \
    && sed -i.bak s/xconsole/console/g /etc/rsyslog.conf \
    && rm -rf /var/lib/apt/lists/*

COPY ./config/mandos.conf /etc/mandos/mandos.conf
COPY ./config/clients.conf /etc/mandos/clients.conf
COPY ./config/supervisord.conf /etc/supervisor/conf.d/supervisord.conf

EXPOSE 55555
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

监督配置文件:

[supervisord]
nodaemon=true
#loglevel=debug

[program:rsyslog]
command=/usr/sbin/rsyslogd -n
autostart=true
autorestart=true
redirect_stderr=true

[program:dbus]
command=/bin/sh -c "rm /var/run/dbus/pid || true && dbus-daemon --system --nofork"
priority=1
redirect_stderr=true

[program:avahi-daemon]
command=/usr/sbin/avahi-daemon --no-chroot

[program:mandos]
command=mandos --foreground

mandos.confclients.conf 文件来自默认的 mandos 安装。

希望这对其他人有用。