Machineid can be edited not unique in docker container
lzy370402 opened this issue · comments
I want to use machineid in docker to make sure that machines are unique, but machineid file can be edited in docker.So it happens that docker containers in diffierent machines can have the same machineid.
I would suggest that we use cgroup to determine that we run under docker and than use the hash like string in cgroup as a salt.
Unique literal for docker container: head -1 /proc/self/cgroup|cut -d/ -f3
Usage of Docker: grep -q docker /proc/self/cgroup && echo Docker || echo NO_DOCKER
/proc/self/cgroup
PS H:\> docker run --rm centos:8 /bin/sh -c "cat /proc/self/cgroup"
14:name=systemd:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
13:rdma:/
12:pids:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
11:hugetlb:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
10:net_prio:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
9:perf_event:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
8:net_cls:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
7:freezer:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
6:devices:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
5:memory:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
4:blkio:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
3:cpuacct:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
2:cpu:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
1:cpuset:/docker/4531c6cdf6e13484be06e3615ebf4721c51a0b814555b15c210115762fc5b484
Try different docker images
docker run --rm ubuntu:16.04 /bin/sh -c "head -1 /proc/self/cgroup|cut -d/ -f3"
docker run --rm ubuntu:21.04 /bin/sh -c "head -1 /proc/self/cgroup|cut -d/ -f3"
docker run --rm alpine:3.13.2 /bin/sh -c "head -1 /proc/self/cgroup|cut -d/ -f3"
docker run --rm centos:6 /bin/sh -c "head -1 /proc/self/cgroup|cut -d/ -f3"
docker run --rm centos:7 /bin/sh -c "head -1 /proc/self/cgroup|cut -d/ -f3"
docker run --rm centos:8 /bin/sh -c "head -1 /proc/self/cgroup|cut -d/ -f3"
Output:
2996761066b129c02629c0a96d56cb1a87ff07df43b2ce67085e4010ce384c68
d70a6db52902f2cdbed846644beb78ec2d3c10331157ef6caf4a78c74dd60e88
0ce0ba2f7975cd95f9bb9d72929509f5c5c12c6b87ea53a3aa02de2e30001839
745a00b110b7c73656a1ada91351338f1587dde0a39e264143d3b25994f87816
fc92e7ad9102150d1f1314d0b78523054e7ef0115ecf120a2db5ad1b792a6227
6b28b03a20d07c19e2543c6d658721226ffb6ccbccbd162c144377874332bf2e
Looks like the /proc/self/cgroup works in most cases.
But there are some where could return nothing.
Take a look at:
- https://stackoverflow.com/questions/69002675/on-debian-11-bullseye-proc-self-cgroup-inside-a-docker-container-does-not-sho
- https://stackoverflow.com/questions/68816329/how-to-get-docker-container-id-from-within-the-container-with-cgroup-v2
Another idea is to extract the system from /proc/self/mountinfo.
Here is a PR with this proposal: keygen-sh/py-machineid#3