Contenu connexe Similaire à Проникновение в Docker с примерами (20) Проникновение в Docker с примерами11. Опыт
Gentoo и Linux-VServer 2006
OpenSolaris Zones
procfs v1 by flant 2008
jailer by flant 2009
LXC
Docker 2013, осень
Docker 2014, 6 июня
38. Что такое Docker?
capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
39. Что такое Docker?
capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
43. unshare(CLONE_NEWIPC | CLONE_NEWNS |
CLONE_NEWNET | CLONE_NEWPID |
CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}
umount("/proc");
mount("proc", "/proc", "proc", 0, 0);
44. unshare(CLONE_NEWIPC | CLONE_NEWNS |
CLONE_NEWNET | CLONE_NEWPID |
CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}
umount("/proc");
mount("proc", "/proc", "proc", 0, 0);
execl("/bin/bash", "/bin/bash", NULL);
45. #define _GNU_SOURCE
#include <sched.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/wait.h>
int main() {
unshare(CLONE_NEWIPC | CLONE_NEWNS | CLONE_NEWNET | CLONE_NEWPID |
CLONE_NEWUTS);
if(fork()) {
wait(NULL);
return 0;
}
umount("/proc");
mount("proc", "/proc", "proc", 0, 0);
execl("/bin/bash", "/bin/bash", NULL);
}
48. # gcc unshare.c -o unshare
# ./unshare
# ps ax
PID TTY STAT TIME COMMAND
1 pts/0 S 0:00 /bin/bash
12 pts/0 R+ 0:00 ps ax
49. # gcc unshare.c -o unshare
# ./unshare
# ps ax
PID TTY STAT TIME COMMAND
1 pts/0 S 0:00 /bin/bash
12 pts/0 R+ 0:00 ps ax
# netstat -natu
… nothing
#
54. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);
setns(open(pathbuf, O_RDONLY), 0);
55. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);
setns(open(pathbuf, O_RDONLY), 0);
56. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);
setns(open(pathbuf, O_RDONLY), 0);
57. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid);
setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);
setns(open(pathbuf, O_RDONLY), 0);
58. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
............
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);
setns(open(pathbuf, O_RDONLY), 0);
59. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
............
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);
setns(open(pathbuf, O_RDONLY), 0);
if(fork()) {
wait(NULL);
return 0;
}
60. snprintf(pathbuf, 100, "/proc/%d/ns/net", pid);
setns(open(pathbuf, O_RDONLY), 0);
............
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid);
setns(open(pathbuf, O_RDONLY), 0);
if(fork()) {
wait(NULL);
return 0;
}
execl("/bin/bash", "/bin/bash", NULL);
61. #define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/wait.h>
#include <fcntl.h>
int main(int argc, char **argv) {
int pid = atoi(argv[1]);
char pathbuf[100];
snprintf(pathbuf, 100, "/proc/%d/ns/net", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/ipc", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/uts", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/pid", pid); setns(open(pathbuf, O_RDONLY), 0);
snprintf(pathbuf, 100, "/proc/%d/ns/mnt", pid); setns(open(pathbuf, O_RDONLY), 0);
if(fork()) {
wait(NULL);
return 0;
}
execl("/bin/bash", "/bin/bash", NULL);
}
63. # gcc setns.c -o setns
# pstree -p $(pidof unshare)
unshare(5136)───bash(5137)
64. # gcc setns.c -o setns
# pstree -p $(pidof unshare)
unshare(5136)───bash(5137)
# ./setns 5137
65. # gcc setns.c -o setns
# pstree -p $(pidof unshare)
unshare(5136)───bash(5137)
# ./setns 5137
# ps ax
PID TTY STAT TIME COMMAND
1 pts/0 S+ 0:00 /bin/bash
42 pts/2 S 0:00 /bin/bash
52 pts/2 R+ 0:00 ps ax
66. Что такое Docker?
capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
✔
67. Что такое Docker?
capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
✔
72. # mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory
6:memory:/mygroup
# bash
# cat /sys/fs/cgroup/memory/mygroup/tasks
2165
4562
4572
73. # mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory
6:memory:/mygroup
# bash
# cat /sys/fs/cgroup/memory/mygroup/tasks
2165
4562
4572
# echo $$ > /sys/fs/cgroup/memory/tasks
# rmdir /sys/fs/cgroup/memory/mygroup
74. # mkdir /sys/fs/cgroup/memory/mygroup
# echo $$ > /sys/fs/cgroup/memory/mygroup/tasks
# cat /proc/$$/cgroup | grep memory
6:memory:/mygroup
# bash
# cat /sys/fs/cgroup/memory/mygroup/tasks
2165
4562
4572
# echo $$ > /sys/fs/cgroup/memory/tasks
# rmdir /sys/fs/cgroup/memory/mygroup
75. Что такое Docker?
capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
✔ ✔
80. Что такое Docker?
capabilities
(2.2 / 1999)
namespaces
(2.6.19 / Nov 2006)
cgroups
(2.6.24 / Jan 2008)
veth
(~ Sep 2007)
aufs
(~ 2006)
overlay
(3.18, Dec 2014)
Docker (~2014)
kernel
84. Что нужно чтобы войти в Docker?
Узнать pid и id контейнера
# docker inspect -f '{{.State.Pid}} {{.Id}}' container_name
85. Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
86. Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
for f in $(ls /sys/fs/cgroup/*/docker/$CONTAINER_ID/tasks)
do echo $$ > $f
done
87. Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
Сменить namepsace`ы
88. Что нужно чтобы войти в Docker?
Добавить в cgroup`ы
Узнать pid и id контейнера
Сменить namepsace`ы
Снять лишние capabilities