python - 使用 Postgresql、Supervisord 和 Docker 的 Apparmor 配置文件
问题描述
我正在尝试为管理 Postgres 和 Cron 服务Apparmor的 Docker 容器设置配置文件。Supervisord
我的Apparmor个人资料如下:
# Author: Felix Geyer <debfx@ubuntu.com>
# Source: https://gitlab.com/apparmor/apparmor-profiles/blob/master/ubuntu/18.04/usr.lib.postgresql.bin.postgres
#include <tunables/global>
profile docker-postgres flags=(attach_disconnected,mediate_deleted) {
#include <abstractions/base>
#include <abstractions/nameservice>
#include <abstractions/ssl_keys>
/etc/postgresql/** r,
/usr/share/postgresql/** r,
/var/lib/postgresql/** rwl,
/var/log/cron/** rwl,
/tmp/** rwl,
/supervisord.pid rwl,
/supervisord.log rwl,
/backups rwl,
/{,var/}run/postgresql/** rw,
owner @{PROC}/[0-9]*/oom_adj rw,
}
我有很多卷,因为我将根文件系统设为只读。因此,我的 docker-compose 文件如下所示:
db:
restart: always
container_name: db
build: ./postgres
env_file:
- database.env
ports:
- "127.0.0.1:5432:5432"
volumes:
- ./logs/postgres:/var/lib/postgresql/data/log
- ./logs/cron:/var/log/cron
- pgdata:/var/lib/postgresql/data
- ./postgres/pg_hba.conf:/var/lib/postgresql/data/pg_hba.conf
- ./postgres/postgresql.conf:/var/lib/postgresql/data/postgresql.conf
- ./postgres/tmp:/tmp
- ./postgres/run:/run/postgresql
- ./postgres/var/run:/var/run/postgresql
- ./postgres/supervisord/supervisord.pid:/supervisord.pid
- ./postgres/supervisord/supervisord.log:/supervisord.log
- ./backups:/backups
[Some resources limitations, e.g., cpushares, mem_limit, etc...]
read_only: true
security_opt:
- apparmor=docker-postgres
postgres Dockerfile 如下:
FROM postgres:alpine
LABEL version="1.7.1"
RUN apk update
RUN apk upgrade
RUN apk add --no-cache logrotate
RUN apk add --no-cache supervisor
RUN mkdir /etc/supervisor.d
COPY supervisord.conf /etc/supervisord.conf
COPY db_backup.sh /
COPY crontab.conf /
RUN chown postgres:postgres /db_backup.sh
RUN chown postgres:postgres /crontab.conf
RUN chmod 0755 /db_backup.sh
RUN chmod 0755 /crontab.conf
RUN chmod +x /db_backup.sh
RUN crontab /crontab.conf
USER postgres
RUN chmod 0700 /var/lib/postgresql/data
ENTRYPOINT ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf"]
当我启动容器时,报告由于权限被拒绝而无法打开Apparmor命名卷中的某些文件:pgdata
[ 480.603052] audit: type=1400 audit(1583923769.274:96): apparmor="DENIED" operation="open" profile="docker-postgres" name="/var/lib/docker/overlay2/62c3068f214a9f5e7681eb663bfa7542c8571143e21ae8b8f4b2117e9b7db2d3/diff/usr/lib/python3.8/lib-dynload/" pid=6671 comm="supervisord" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
docker-compose 命令报如下错误:
db exited with code 1
db | Python path configuration:
db | PYTHONHOME = (not set)
db | PYTHONPATH = (not set)
db | program name = '/usr/bin/python3'
db | isolated = 0
db | environment = 1
db | user site = 1
db | import site = 1
db | sys._base_executable = '/usr/bin/python3'
db | sys.base_prefix = '/usr'
db | sys.base_exec_prefix = '/usr'
db | sys.executable = '/usr/bin/python3'
db | sys.prefix = '/usr'
db | sys.exec_prefix = '/usr'
db | sys.path = [
db | '/usr/lib/python38.zip',
db | '/usr/lib/python3.8',
db | '/usr/lib/python3.8/lib-dynload',
db | ]
db | Fatal Python error: init_fs_encoding: failed to get the Python codec of the filesystem encoding
db | Python runtime state: core initialized
db | ModuleNotFoundError: No module named 'encodings'
db |
db | Current thread 0x00007f35c9fcdd48 (most recent call first):
db | <no Python frame>
如果我没记错的话,拒绝的操作是打开我的命名卷中名为 pgdata 的 Python 库。如何允许我的容器通过 apparmor 配置文件访问此目录中的文件?我尝试使用主机卷,但它不起作用。
我已经尝试过执行以下操作:
allow /usr/lib/python[0-9.]* rwl,
allow /usr/bin/python[0-9.]* rwl,
allow /usr/lib/python[0-9.]*/** rwl,
allow /usr/bin/python[0-9.]*/** rwl
但它不起作用......
解决方案
最后,我通过将其添加到容器的 apparmor 配置文件来解决问题:
/var/lib/docker/overlay2/[a-zA-Z0-9]*/diff/usr/lib/python3.8/ r,
推荐阅读
- c# - 如何在 C# 中标准化花哨的 unicode 字符串?
- java - 从 JPanel 获取课程
- email - 尝试连接到 Gmail 的 SMTP
- javascript - Jquery:第一次点击后停止
- node.js - 试图在 Discord bot 中进行决斗功能,但 while 循环导致致命错误
- python - Pandas.cut() 关于分类值
- mysql - 将 SQL 转换为 DQL
- java - 如何在片段上修复我的 FirebaseRecyclerAdapter?
- unity3d - Oculus Quest:在 Oculus Quest 中录制视频
- python - 如果熊猫数据框满足两个不同的要求,则它们将两行相加