英文:
How to access host machine from Docker container?
问题
我有一个用PHP编写的应用程序,我需要与主机机器进行交互:创建一个Linux用户,复制一些文件,等等。
英文:
I have an application written in PHP and I need to work with the host machine: create a Linux user, copy some files, etc.
答案1
得分: 3
运行此程序作为根用户在主机系统上而不是容器外部。
Docker 的核心特性之一是容器通常不被允许执行诸如通过编写 /etc/shadow 重置主机根用户密码,或更一般地读取或写入主机文件系统。容器通常也被禁止执行其他系统管理任务,比如更改主机网络配置。文件系统隔离使得容器进程无法破坏关键的系统文件,这是使用 Docker 的主要原因之一,并且这个特性不能轻易地被禁用。
因此,特别是,“创建用户”恰恰是容器进程设计上被禁止执行的危险对主机的操作。更一般地说,“复制文件”仅仅是困难的任务,但其主要目的是读取和写入主机文件,通常更容易在容器外部运行。
理论上,你可以使用绑定挂载来完成其中的一些操作。就任务中的“复制文件”部分而言,原则上你可以运行像下面这样的命令:
docker run --rm \
-v "$PWD/here:/input" \
-v "$PWD/there:/output" \
your-image
在容器内部,/input 和 /output 将是主机的 ./here 和 ./there 目录。
也可以挂载整个主机文件系统,例如 -v /:/host。理论上,你可以使用这个来编辑 /host/etc/passwd,或甚至可能使用 chroot(8) 回到主机系统并有效地逃出容器。但在这一点上,你实际上并没有从 Docker 中获得太多好处,并且在容器外部运行任务会更加容易。
英文:
Run this program as root outside a container on the host system.
One of the core features of Docker is that a container isn't normally allowed to, for example, reset the host root user's password by writing /etc/shadow, or more generally read or write the host filesystem at all. A container is similarly normally forbidden from other system-management tasks like changing the host network configuration. This filesystem isolation, keeping a container process from corrupting key system files, is a primary reason to use Docker at all, and it can't be trivially disabled.
So in particular, "create a user" is precisely the class of dangerous-to-the-host operations that a container process by design is forbidden from doing. More generally, "copy files" is merely hard, but a task whose main purpose is reading and writing host files will generally be much easier to run outside a container.
In theory you can accomplish some of this using bind mounts. For the "copy files" part of the task, in principle you can run something like
docker run --rm \
-v "$PWD/here:/input" \
-v "$PWD/there:/output" \
your-image
and in the container, /input and /output will be the host's ./here and ./there directories.
It's possible to mount the entire host filesystem, -v /:/host for example. You could in theory use this to edit /host/etc/passwd, or possibly even to chroot(8) back into the host system and effectively escape the container. But at this point you're not really getting much benefit from Docker, and it'll be much easier to run the task outside a container.
答案2
得分: 0
I dit it via SSH & host.docker.internal:
Dockerfile:
RUN apt-get update && apt-get upgrade -y && apt-get install -y ssh
# ...
COPY ./.ssh /root/.ssh
RUN chmod 700 /root/.ssh && chmod 644 /root/.ssh/* && chmod 600 /root/.ssh/id_rsa
docker-compose.yml:
extra_hosts:
- 'host.docker.internal:host-gateway'
英文:
I dit it via SSH & host.docker.internal:
Dockerfile:
RUN apt-get update && apt-get upgrade -y && apt-get install -y ssh
# ...
COPY ./.ssh /root/.ssh
RUN chmod 700 /root/.ssh && chmod 644 /root/.ssh/* && chmod 600 /root/.ssh/id_rsa
docker-compose.yml:
extra_hosts:
- 'host.docker.internal:host-gateway'
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论