Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

./run.sh运行报错:Error: readlink /host/proc/1/ns/pid: permission denied #272

Open
leiwuhen92 opened this issue Jan 24, 2024 · 3 comments
Open

./run.sh运行报错:Error: readlink /host/proc/1/ns/pid: permission denied #272

leiwuhen92 opened this issue Jan 24, 2024 · 3 comments
Assignees
@d1nfinite
Labels
bug Something isn't working

Comments

@leiwuhen92
Copy link

Bug 具体描述
./run.sh scan container ea7d6c3d7bc7直接报错:Error: readlink /host/proc/1/ns/pid: permission denied

复现步骤

  1. 拉取镜像
    docker pull registry.veinmind.tech/veinmind/veinmind-runner:latest
  2. 下载 [veinmind-runner]平行容器启动脚本
    wget -q https://download.veinmind.tech/scripts/veinmind-runner-parallel-container-run.sh -O run.sh && chmod +x run.sh
  3. 扫描本地容器,出现错误
$ ./run.sh scan container ea7d6c3d7bc7
Error: readlink /host/proc/1/ns/pid: permission denied
Usage:
  veinmind-runner scan container [flags] target

Examples:

1. scan dockerd container (all)
veinmind-runner scan container dockerd:*

相关截图
image

环境

  • linux:Ubuntu 18.04.6
  • Docker 版本: Docker version 20.10.21
  • libveinmind 版本:
  • 问脉镜像版本:
  • 代码版本:

补充说明
查看了下run.sh文件,内容如下:

#!/bin/bash

docker run --rm -v /:/host -v `pwd`:/tool/resource -v /var/run/docker.sock:/var/run/docker.sock registry.veinmind.tech/veinmind/veinmind-runner $*

加上特权参数--privileged后运行就可以了。
@leiwuhen92 leiwuhen92 added the bug Something isn't working label Jan 24, 2024
@d1nfinite
Copy link
Collaborator

在去做容器扫描的时候,实际是通过 procfs 去实现平行容器的扫描,所以必须让容器有访问 procfs 的权限,可以看一下机器是不是开了 selinux,导致默认情况下即使挂载,也没有权限

@leiwuhen92
Copy link
Author

@d1nfinite SELinux没有开启
image

@d1nfinite
Copy link
Collaborator

@d1nfinite SELinux没有开启 image

ok,后面我们把对应的 Capability 加到运行脚本里

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@d1nfinite d1nfinite

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@d1nfinite @leiwuhen92