没有特权标志的 polkit-gnome-authentication-agent-1 无法在 docker 中启动
polkit-gnome-authentication-agent-1 fail to start in docker without privileged flag
我正在使用下一个 docker gui 容器:
FROM centos:6
RUN yum -y install epel-release
RUN yum -y groupinstall "X Window System" "Desktop" "General Purpose Desktop"
RUN yum -y install openssh-server x2goserver x2goserver-xsession x2goserver-fmbindings x2goserver-printing pwgen
RUN yum reinstall glibc-common # fix some issues
RUN chkconfig sshd on
RUN sed -i "s/UsePAM.*/UsePAM no/g" /etc/ssh/sshd_config
RUN sed -i "s/#PermitRootLogin/PermitRootLogin/g" /etc/ssh/sshd_config
RUN adduser vagrant
RUN echo 'root:vagrant' | chpasswd
RUN echo 'vagrant:vagrant' | chpasswd
RUN service sshd restart
RUN echo '#!/bin/bash' > /run.sh
RUN echo 'mkdir -p /tmp/.X11-unix' >> /run.sh
RUN echo 'chmod 1777 /tmp/.X11-unix' >> /run.sh
RUN echo 'service messagebus start' >> /run.sh
RUN echo 'exec /usr/sbin/sshd -D' >> /run.sh
RUN chmod +x /run.sh
EXPOSE 22
CMD ["/run.sh"]
当我 运行 它没有 --privileged
标志时,polkit-gnome-authentication-agent-1
(PolicyKit Authentication Agent
在启动应用程序中)无法启动并且在某些阶段需要 root 权限的应用程序(例如 gpk-application
- Add/Remove Software
菜单项)无法获得这些权限。
$ /usr/libexec/polkit-gnome-authentication-agent-1
(polkit-gnome-authentication-agent-1:772): polkit-gnome-1-WARNING **: Unable to determine the session we are in: Remote Exception invoking org.freedesktop.ConsoleKit.Manager.GetSessionForUnixProcess() on /org/freedesktop/ConsoleKit/Manager at name org.freedesktop.ConsoleKit: org.freedesktop.ConsoleKit.Manager.GeneralError: Unable to lookup session information for process '772' org.freedesktop.ConsoleKit.Manager.GeneralError Unable%20to%20lookup%20session%20information%20for%20process%20%27772%27
我不想使用 --privileged
标志,所以我正在修改此类应用程序的桌面文件,添加 beesu
作为解决方法:
RUN yum -y install beesu
RUN sed -i "s/Exec=gpk-application/Exec=beesu gpk-application/g" /usr/share/applications/gpk-application.desktop
预先询问 root 密码(即使您在这个特定的 运行 中不需要)并触发额外的警告,即 gpk 应用程序不应 运行 来自 root。
是否有更好的解决方法(理想情况下允许 polkit-gnome-authentication-agent-1
到 运行 成功)?
我的 docker 主机是 Ubuntu ESXi 6.5 上的 16.04 VM,启用了 apparmor。在我看来,我需要启用一些 apparmor 功能,但我没有在 /var/log/kern.log.
中看到 apparmor 审核记录
$ docker version
Client:
Version: 1.13.1
API version: 1.26
Go version: go1.7.5
Git commit: 092cba3
Built: Wed Feb 8 06:50:14 2017
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Go version: go1.7.5
Git commit: 092cba3
Built: Wed Feb 8 06:50:14 2017
OS/Arch: linux/amd64
Experimental: true
$ docker info
Containers: 15
Running: 12
Paused: 0
Stopped: 3
Images: 1083
Server Version: 1.13.1
Storage Driver: zfs
Zpool: zmain
Zpool Health: ONLINE
Parent Dataset: zmain/docker
Space Used By Parent: 25711493632
Space Available: 2017301029888
Parent Quota: no
Compression: on
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1
runc version: 9df8b306d01f59d3a8029be411de015b7304dd8f
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-64-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 56
Total Memory: 147.6 GiB
Name: dockerl1
ID: 2QMS:5T3N:Y7CT:FFOK:A3PI:VGVB:WHW3:V43D:AHOD:MFX3:WB4C:6UBY
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: true
Insecure Registries:
docker.acme.com
registry-proxy.acme.com
127.0.0.0/8
Registry Mirrors:
registry-proxy.acme.com
Live Restore Enabled: true
我仍然没有看到 apparmor 审核记录,但发现将 --cap-add=SYS_PTRACE
添加到 docker run
解决了一个问题,polkit-gnome-authentication-agent-1
现在 运行 和请求的应用程序root权限后开始正常工作。
我不得不使用另一种解决方法来禁用每次连接后询问 root 密码的更新程序:
RUN echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gpk-update-icon.desktop
而且我 asked separate question 关于服装。
我正在使用下一个 docker gui 容器:
FROM centos:6
RUN yum -y install epel-release
RUN yum -y groupinstall "X Window System" "Desktop" "General Purpose Desktop"
RUN yum -y install openssh-server x2goserver x2goserver-xsession x2goserver-fmbindings x2goserver-printing pwgen
RUN yum reinstall glibc-common # fix some issues
RUN chkconfig sshd on
RUN sed -i "s/UsePAM.*/UsePAM no/g" /etc/ssh/sshd_config
RUN sed -i "s/#PermitRootLogin/PermitRootLogin/g" /etc/ssh/sshd_config
RUN adduser vagrant
RUN echo 'root:vagrant' | chpasswd
RUN echo 'vagrant:vagrant' | chpasswd
RUN service sshd restart
RUN echo '#!/bin/bash' > /run.sh
RUN echo 'mkdir -p /tmp/.X11-unix' >> /run.sh
RUN echo 'chmod 1777 /tmp/.X11-unix' >> /run.sh
RUN echo 'service messagebus start' >> /run.sh
RUN echo 'exec /usr/sbin/sshd -D' >> /run.sh
RUN chmod +x /run.sh
EXPOSE 22
CMD ["/run.sh"]
当我 运行 它没有 --privileged
标志时,polkit-gnome-authentication-agent-1
(PolicyKit Authentication Agent
在启动应用程序中)无法启动并且在某些阶段需要 root 权限的应用程序(例如 gpk-application
- Add/Remove Software
菜单项)无法获得这些权限。
$ /usr/libexec/polkit-gnome-authentication-agent-1
(polkit-gnome-authentication-agent-1:772): polkit-gnome-1-WARNING **: Unable to determine the session we are in: Remote Exception invoking org.freedesktop.ConsoleKit.Manager.GetSessionForUnixProcess() on /org/freedesktop/ConsoleKit/Manager at name org.freedesktop.ConsoleKit: org.freedesktop.ConsoleKit.Manager.GeneralError: Unable to lookup session information for process '772' org.freedesktop.ConsoleKit.Manager.GeneralError Unable%20to%20lookup%20session%20information%20for%20process%20%27772%27
我不想使用 --privileged
标志,所以我正在修改此类应用程序的桌面文件,添加 beesu
作为解决方法:
RUN yum -y install beesu
RUN sed -i "s/Exec=gpk-application/Exec=beesu gpk-application/g" /usr/share/applications/gpk-application.desktop
预先询问 root 密码(即使您在这个特定的 运行 中不需要)并触发额外的警告,即 gpk 应用程序不应 运行 来自 root。
是否有更好的解决方法(理想情况下允许 polkit-gnome-authentication-agent-1
到 运行 成功)?
我的 docker 主机是 Ubuntu ESXi 6.5 上的 16.04 VM,启用了 apparmor。在我看来,我需要启用一些 apparmor 功能,但我没有在 /var/log/kern.log.
中看到 apparmor 审核记录$ docker version
Client:
Version: 1.13.1
API version: 1.26
Go version: go1.7.5
Git commit: 092cba3
Built: Wed Feb 8 06:50:14 2017
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Go version: go1.7.5
Git commit: 092cba3
Built: Wed Feb 8 06:50:14 2017
OS/Arch: linux/amd64
Experimental: true
$ docker info
Containers: 15
Running: 12
Paused: 0
Stopped: 3
Images: 1083
Server Version: 1.13.1
Storage Driver: zfs
Zpool: zmain
Zpool Health: ONLINE
Parent Dataset: zmain/docker
Space Used By Parent: 25711493632
Space Available: 2017301029888
Parent Quota: no
Compression: on
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1
runc version: 9df8b306d01f59d3a8029be411de015b7304dd8f
init version: 949e6fa
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.4.0-64-generic
Operating System: Ubuntu 16.04.2 LTS
OSType: linux
Architecture: x86_64
CPUs: 56
Total Memory: 147.6 GiB
Name: dockerl1
ID: 2QMS:5T3N:Y7CT:FFOK:A3PI:VGVB:WHW3:V43D:AHOD:MFX3:WB4C:6UBY
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Experimental: true
Insecure Registries:
docker.acme.com
registry-proxy.acme.com
127.0.0.0/8
Registry Mirrors:
registry-proxy.acme.com
Live Restore Enabled: true
我仍然没有看到 apparmor 审核记录,但发现将 --cap-add=SYS_PTRACE
添加到 docker run
解决了一个问题,polkit-gnome-authentication-agent-1
现在 运行 和请求的应用程序root权限后开始正常工作。
我不得不使用另一种解决方法来禁用每次连接后询问 root 密码的更新程序:
RUN echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gpk-update-icon.desktop
而且我 asked separate question 关于服装。