polkit-gnome的認證代理，1次失敗的碼頭工人開始沒有特權的標誌

Question

我用下一個碼頭工人GUI容器：

FROM centos:6 

RUN yum -y install epel-release 
RUN yum -y groupinstall "X Window System" "Desktop" "General Purpose Desktop" 
RUN yum -y install openssh-server x2goserver x2goserver-xsession x2goserver-fmbindings x2goserver-printing pwgen 
RUN yum reinstall glibc-common # fix some issues 
RUN chkconfig sshd on 
RUN sed -i "s/UsePAM.*/UsePAM no/g" /etc/ssh/sshd_config 
RUN sed -i "s/#PermitRootLogin/PermitRootLogin/g" /etc/ssh/sshd_config 
RUN adduser vagrant 
RUN echo 'root:vagrant' | chpasswd 
RUN echo 'vagrant:vagrant' | chpasswd 
RUN service sshd restart 
RUN echo '#!/bin/bash' > /run.sh 
RUN echo 'mkdir -p /tmp/.X11-unix' >> /run.sh 
RUN echo 'chmod 1777 /tmp/.X11-unix' >> /run.sh 
RUN echo 'service messagebus start' >> /run.sh 
RUN echo 'exec /usr/sbin/sshd -D' >> /run.sh 
RUN chmod +x /run.sh 
EXPOSE 22 
CMD ["/run.sh"] 

當我不--privileged標誌運行它，polkit-gnome-authentication-agent-1（PolicyKit Authentication Agent在啓動應用程序）無法啓動，並且某些階段需要root權限的應用程序（例如gpk-application - Add/Remove Software菜單項）無法獲得這些權限。

$ /usr/libexec/polkit-gnome-authentication-agent-1 

(polkit-gnome-authentication-agent-1:772): polkit-gnome-1-WARNING **: Unable to determine the session we are in: Remote Exception invoking org.freedesktop.ConsoleKit.Manager.GetSessionForUnixProcess() on /org/freedesktop/ConsoleKit/Manager at name org.freedesktop.ConsoleKit: org.freedesktop.ConsoleKit.Manager.GeneralError: Unable to lookup session information for process '772' org.freedesktop.ConsoleKit.Manager.GeneralError Unable%20to%20lookup%20session%20information%20for%20process%20%27772%27 

我不想使用--privileged標誌，所以我修改桌面文件這樣的應用，增加beesu作爲解決方法：

RUN yum -y install beesu 
RUN sed -i "s/Exec=gpk-application/Exec=beesu gpk-application/g" /usr/share/applications/gpk-application.desktop 

哪些要求root密碼前期（即使你不在這個特定的運行中不需要）並觸發額外的警告，即gpk應用程序不應該從根目錄運行。

是否有更好的解決方法（理想情況下允許polkit-gnome-authentication-agent-1成功運行）？

我的碼頭主機是ESXi 6.5上的Ubuntu 16.04 VM，啓用了apparmor。在我看來，我需要啓用一些apparmor功能，但我沒有看到/var/log/kern.log中的審計記錄。

$ docker version 
Client: 
Version:  1.13.1 
API version: 1.26 
Go version: go1.7.5 
Git commit: 092cba3 
Built:  Wed Feb 8 06:50:14 2017 
OS/Arch:  linux/amd64 

Server: 
Version:  1.13.1 
API version: 1.26 (minimum version 1.12) 
Go version: go1.7.5 
Git commit: 092cba3 
Built:  Wed Feb 8 06:50:14 2017 
OS/Arch:  linux/amd64 
Experimental: true 

$ docker info 
Containers: 15 
Running: 12 
Paused: 0 
Stopped: 3 
Images: 1083 
Server Version: 1.13.1 
Storage Driver: zfs 
Zpool: zmain 
Zpool Health: ONLINE 
Parent Dataset: zmain/docker 
Space Used By Parent: 25711493632 
Space Available: 2017301029888 
Parent Quota: no 
Compression: on 
Logging Driver: json-file 
Cgroup Driver: cgroupfs 
Plugins: 
Volume: local 
Network: bridge host ipvlan macvlan null overlay 
Swarm: inactive 
Runtimes: runc 
Default Runtime: runc 
Init Binary: docker-init 
containerd version: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1 
runc version: 9df8b306d01f59d3a8029be411de015b7304dd8f 
init version: 949e6fa 
Security Options: 
apparmor 
seccomp 
    Profile: default 
Kernel Version: 4.4.0-64-generic 
Operating System: Ubuntu 16.04.2 LTS 
OSType: linux 
Architecture: x86_64 
CPUs: 56 
Total Memory: 147.6 GiB 
Name: dockerl1 
ID: 2QMS:5T3N:Y7CT:FFOK:A3PI:VGVB:WHW3:V43D:AHOD:MFX3:WB4C:6UBY 
Docker Root Dir: /var/lib/docker 
Debug Mode (client): false 
Debug Mode (server): false 
Registry: https://index.docker.io/v1/ 
WARNING: No swap limit support 
Experimental: true 
Insecure Registries: 
docker.acme.com 
registry-proxy.acme.com 
127.0.0.0/8 
Registry Mirrors: 
registry-proxy.acme.com 
Live Restore Enabled: true 

Answer 1

我還沒有看到AppArmor的審計記錄，但發現，添加--cap-add=SYS_PTRACE到docker run解決的問題，現在polkit-gnome-authentication-agent-1運行和應用，這開始後要求root權限正常工作。

我不得不用另一種變通方法來禁用更新要求root密碼後，每個連接：

RUN echo 'X-GNOME-Autostart-enabled=false' >> /etc/xdg/autostart/gpk-update-icon.desktop 

而且我已經asked separate question約AppArmor的。