V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX  ›  zhang2587341450  ›  全部回复第 1 页 / 共 1 页
回复总数  1
15 天前
回复了 zljklang 创建的主题 宽带症候群 爱快软路由 root 版本
iKuai 的新版 docker 做了限制
- 对新建的容器执行挂载路径检查,只允许在/etc/disk_user 目录下,也就是 web 上面的目录,发现跨目录,直接 false 掉,无法新建

__check_srcpath()
{
local ROOT_PATH="/etc/disk_user"
local srcpaths="$1"
for path_dir in ${srcpaths//,/ }; do
local path_dir=${path_dir//:*/}

if [ "$path_dir" = "/" ]; then
echo "$path_dir not found"
return 1
fi

local tmp_dir=${path_dir//\.\./}
if [ "$tmp_dir" != "$path_dir" ]; then
echo "$path_dir not found"
return 1
fi

local abs_path="${ROOT_PATH}${path_dir}"

if [ ! -e "$abs_path" ]; then
echo "$path_dir not found"
return 1
fi
local dir_arry=(${path_dir//\// })
local hardlink=$(readlink ${ROOT_PATH}/${dir_arry[0]})

if [ ! -d "$hardlink" ]; then
echo "$path_dir not found"
return 1
fi
local i=0
for dir_one in ${dir_arry[*]}; do
i=$((i+1))
[ "$i" = "1" ] && continue
hardlink+="/$dir_one"
done
if [ ! -e "$hardlink" ]; then
echo "$path_dir not found"
return 1
fi
done
}

- 对原有 Docker 容器的配置文件进行挂载路径检查,发现源路径异常后修改配置文件,取消所有挂载点

__check_config_json()
{
local config_path="$work_path/lib/containers"
for config_one in $(ls $config_path); do
local config_path_one="$config_path/$config_one/config.v2.json"
for mount_one in $(cat $config_path_one |jq .MountPoints|grep "\"Source\"": | awk '{print $2}');
do
[ "$mount_one" ] || continue
local invalid=0
if [ "${mount_one:1:15}" != "/etc/disk_user/" ]; then
invalid=1
fi
if [ "${mount_one//\.\./}" != "$mount_one" ]; then
invalid=1
fi
if [ "$invalid" = "1" ]; then
chattr -i $config_path_one
chattr -a $config_path_one
cat $config_path_one | jq '.MountPoints = {}' > /tmp/config.$$
mv /tmp/config.$$ $config_path_one
fi
done
done
}
关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   4186 人在线   最高记录 6679   ·     Select Language
创意工作者们的社区
World is powered by solitude
VERSION: 3.9.8.5 · 9ms · UTC 05:24 · PVG 13:24 · LAX 21:24 · JFK 00:24
Developed with CodeLauncher
♥ Do have faith in what you're doing.