Recently when using docker container found agetty process cpu usage host up to 100%.
The reason on Google search the next, causing this problem is to use the "/ sbin / init" and "--privileged" parameter when using "docker run" run container.
Use / sbin / init to start a container and add --privileged parameters, equivalent docker container to get a carte blanche permission of the host. In this case the init host init container inside the docker causes confusion.
# Google reference to a passage:
I've done all my testing on them without using --privileged, especially since that's so dangerous (effectively, you're telling this second init process on your system that it's cool to go ahead and manage your system resources, and then giving it access to them as well). I always think of --privileged as a hammer to be used very sparingly.
For reasons of safety, when starting container, docker container system only has a few common linux permissions, it does not have all the permissions real root user. The --privileged = true parameter allows docker container has all rights linux root user.
To solve this problem, in later versions docker docker run added two options parameters "--cap-add" and "--cap-drop".
--cap-add: Get Permissions beyond the default linux
--cap-drop: give up the default linux permissions
Documentation can be found from the official website of the docker, docker container has a default permissions and --cap-add can get permission to expand as follows:
Default Permissions:
| Capability Key |
Capability Description |
| SETPCAP |
Modify process capabilities. |
| MKNOD |
Create special files using mknod(2). |
| AUDIT_WRITE |
Write records to kernel auditing log. |
| CHOWN |
Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
| NET_RAW |
Use RAW and PACKET sockets. |
| DAC_OVERRIDE |
Bypass file read, write, and execute permission checks. |
| FOWNER |
Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
| FSETID |
Don’t clear set-user-ID and set-group-ID permission bits when a file is modified. |
| KILL |
Bypass permission checks for sending signals. |
| SETGID |
Make arbitrary manipulations of process GIDs and supplementary GID list. |
| SETUID |
Make arbitrary manipulations of process UIDs. |
| NET_BIND_SERVICE |
Bind a socket to internet domain privileged ports (port numbers less than 1024). |
| SYS_CHROOT |
Use chroot(2), change root directory. |
| SETFCAP |
Set file capabilities. |
Acquired by --cap-add privileges:
| Capability Key |
Capability Description |
| SYS_MODULE |
Load and unload kernel modules. |
| SYS_RAWIO |
Perform I/O port operations (iopl(2) and ioperm(2)). |
| SYS_PACCT |
Use acct(2), switch process accounting on or off. |
| SYS_ADMIN |
Perform a range of system administration operations. |
| SYS_NICE |
Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
| SYS_RESOURCE |
Override resource Limits. |
| SYS_TIME |
Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
| SYS_TTY_CONFIG |
Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
| AUDIT_CONTROL |
Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
| MAC_OVERRIDE |
Allow MAC configuration or state changes. Implemented for the Smack LSM. |
| MAC_ADMIN |
Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
| NET_ADMIN |
Perform various network-related operations. |
| SYSLOG |
Perform privileged syslog(2) operations. |
| DAC_READ_SEARCH |
Bypass file read permission checks and directory read and execute permission checks. |
| LINUX_IMMUTABLE |
Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
| NET_BROADCAST |
Make socket broadcasts, and listen to multicasts. |
| IPC_LOCK |
Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
| IPC_OWNER |
Bypass permission checks for operations on System V IPC objects. |
| SYS_PTRACE |
Trace arbitrary processes using ptrace(2). |
| SYS_BOOT |
Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
| LEASE |
Establish leases on arbitrary files (see fcntl(2)). |
| WAKE_ALARM |
Trigger something that will wake up the system. |
| BLOCK_SUSPEND |
Employ features that can block system suspend. |
所以,在运行容器时,可以不用--privileged参数的尽量不用,用--cap-add参数替代。如果必须使用--privileged=true参数的,可以通过在宿主机和容器中执行以下命令将agetty关闭。
shell> systemctl stop [email protected]
shell> systemctl mask [email protected]
参考资料:
https://github.com/docker/docker/issues/4040
https://docs.docker.com/engine/reference/run/
