Made with Material for MkDocs
diff --git a/ruri/search/search_index.json b/ruri/search/search_index.json index b668b65..7997810 100644 --- a/ruri/search/search_index.json +++ b/ruri/search/search_index.json @@ -1 +1 @@ -{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Welcome to ruri official wiki","text":""},{"location":"#choose-your-language","title":"Choose your language:","text":"English \u7b80\u4f53\u4e2d\u6587
Made with Material for MkDocs
"},{"location":"en/","title":"Welcome to ruri official wiki","text":""},{"location":"en/#table-of-contents","title":"Table of contents:","text":""},{"location":"en/#quick-start","title":"Quick start:","text":"quickstart
"},{"location":"en/#container-security","title":"Container Security:","text":"container security
"},{"location":"en/container-security/","title":"Enhance Container Security:","text":"Here are several ways to enhance the security of ruri container, kindly read this document before using ruri.
"},{"location":"en/container-security/#regular","title":"Regular:","text":""},{"location":"en/container-security/#run-rootless-container","title":"Run rootless container:","text":"If your device supports user ns, you can install uidmap and use -r option with common user, so that you can avoid using root privileges to run the container.
If you can not run rootless container, there's another choice, add a common user in your container and use -E username to run command as common user instead root. If you don't need any privileges, it's better to enable no_new_privs at the same time.
Ruri will automatically drop unneeded capabilities, but ruri also provides capability control function, you can read capabilities(7) and use -d option to filter out unnecessary capabilities in container.
Ruri will create the file /.rurienv in container, to avoid security issues, this file is immutable and read-only. But you can also disable creating it using -N option.
Ruri supports memory cgroup, you can use -l option to set the limit of memory usage.
Ruri supports unshare, it's recommended to enable this feature for better security. Unshare container will use pivot_root(2) instead chroot(2), so it's more secure.
"},{"location":"en/container-security/#mount-other-mountpoints-as-read-only","title":"Mount other mountpoints as read-only:","text":"Ruri supports using -m option to mount other device/img/dir into container, if you only need read access to the mountpoint, try using -M option to make them read-only.
Ruri has a built-in Seccomp profile, you can enable it by using -s option. If this profile does not fit your needs, you can edit src/seccomp.c and write your own Seccomp rules.
Ruri supports mount /proc with hidepid option, use -i 1/2 to enable it.
Ruri supports enable no_new_privs bit by -n option, after enabling this, command like sudo will be unavailable for common user.
Ruri supports mounting the rootfs of container as read-only by using -R option, this will make all the container read-only.
/dev, /proc and /sys will not be mounted if you enable -j option.
You can use -x option to create a new net ns and disable network for container. This needs net ns and will auto enable unshare.
For /dev, ruri will only create necessary devices on it, so that block devices will always be unavailable in container, and as cap_mknod and cap_sys_admin is dropped by default, you can not escape from ruri container by modifying disk partitions.
"},{"location":"en/container-security/#masked-dirs","title":"Masked dirs:","text":"Ruri will mask some directories with tmpfs in /proc and /sys, this can protect the host to avoid security issues.
"},{"location":"en/container-security/#capabilities_1","title":"Capabilities:","text":"Ruri will drop unneeded capabilities by default, so that it can avoid escaping from container.
"},{"location":"en/quickstart/","title":"Quickstart:","text":""},{"location":"en/quickstart/#get-ruri","title":"Get ruri\uff1a","text":"ruri provides binary for arm64, armv7, armhf, riscv64, i386, loong64, s390x, ppc64le and x86_64 platform\uff0cYou can use the following command to download ruri as ./ruri:
wget -q -O - https://getruri.crack.moe | bash -s -- -sGet alpine edge image:
wget -q -O - https://getrurima.crack.moe | bash -s -- -s\nsudo ./rurima lxc pull -o alpine -v edge -s ./test rurima r instead ruri. "},{"location":"en/quickstart/#use-rootfstooldiscarded","title":"Use rootfstool\uff08Discarded\uff09\uff1a","text":"Get alpine edge image:
git clone https://github.com/Moe-hacker/rootfstool\n./rootfstool/rootfstool download -d alpine -v edge\nmkdir test\nsudo tar -xvf rootfs.tar.xz -C test\nrm rootfs.tar.xzsudo rm test/etc/resolv.conf\necho nameserver 1.1.1.1|sudo tee test/etc/resolv.confsudo ./ruri ./test\u5feb\u901f\u5f00\u59cb
"},{"location":"zh/#_3","title":"\u5bb9\u5668\u5b89\u5168:","text":"\u5bb9\u5668\u5b89\u5168
"},{"location":"zh/container-security/","title":"\u5982\u4f55\u589e\u5f3a\u5bb9\u5668\u5b89\u5168\uff1a","text":"ruri\u63d0\u4f9b\u4e00\u7cfb\u5217\u5b89\u5168\u9009\u9879\uff0c\u4e0b\u9762\u662f\u5b83\u4eec\u7684\u4f7f\u7528\u8bf4\u660e\uff1a
"},{"location":"zh/container-security/#_2","title":"\u65e5\u5e38\uff1a","text":""},{"location":"zh/container-security/#rootless","title":"\u4f7f\u7528rootless\u5bb9\u5668\uff1a","text":"\u5728\u73b0\u4ee3\u7684GNU/Linux\u4e0a\uff0c\u4e00\u822c\u53ea\u8981\u914d\u7f6e\u597d/etc/subuid\u548c/etc/subgid\uff0c\u5b89\u88c5uidmap\uff08shadow\uff09\u5305\uff0c\u5373\u53ef\u4f7f\u7528rotless\u5bb9\u5668\u3002 \u5982\u679c\u4f60\u7684\u8bbe\u5907\u652f\u6301\uff0c\u53ef\u4ee5\u4f7f\u7528-r\u9009\u9879\u6765\u4ee5\u666e\u901a\u7528\u6237\u8fd0\u884c\u65e0\u7279\u6743\u5bb9\u5668\u3002
\u5982\u679c\u4f60\u7684\u8bbe\u5907\u4e0d\u652f\u6301\uff0c\u4f60\u8fd8\u6709\u4e00\u4e2a\u9009\u9879\uff0c\u5728\u5bb9\u5668\u4e2d\u521b\u5efa\u4e00\u4e2a\u666e\u901a\u7528\u6237\uff0c\u5e76\u4f7f\u7528-E username\u9009\u9879\u6765\u4f7f\u7528\u666e\u901a\u7528\u6237\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c\u547d\u4ee4\u3002\u8bf7\u786e\u4fddusername\u5728\u5bb9\u5668\u7684/etc/passwd\u4e2d\u6709\u6b63\u786e\u8bb0\u5f55\u3002 \u5982\u679c\u4f60\u4e0d\u9700\u8981\u4f7f\u7528sudo\uff0c\u53ef\u4ee5\u540c\u65f6\u5f00\u542fno_new_privs\uff08-n\uff09\u9009\u9879\u3002
ruri\u652f\u6301\u9664\u7f51\u7edc\u5916\u7684\u5e38\u7528\u547d\u540d\u7a7a\u95f4\uff08\u7f51\u7edc\u547d\u540d\u7a7a\u95f4\u4ec5\u7528\u4e8e\u7981\u7528\u7f51\u7edc\uff09\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-u\u9009\u9879\u5c1d\u8bd5\u5f00\u542f\u652f\u6301\u7684\u547d\u540d\u7a7a\u95f4\u3002 unshare\u529f\u80fd\u81f3\u5c11\u4f9d\u8d56mount ns\uff0c\u5e76\u4f1a\u9ed8\u8ba4\u4f7f\u7528pivot_root(2)\u6765\u66ff\u4ee3chroot(2)\u6765\u63d0\u4f9b\u66f4\u9ad8\u7684\u5b89\u5168\u6027\u3002
ruri\u652f\u6301Linux\u7684capability\u63a7\u5236\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-d cap/num\u6765\u79fb\u9664\u4e00\u4e2acapability\uff0c-k\u6765\u4fdd\u7559\u3002 ruri\u9ed8\u8ba4\u5df2\u7ecf\u79fb\u9664\u4e86\u5927\u90e8\u5206\u53ef\u80fd\u5371\u5bb3\u5bbf\u4e3b\u673a\u7684capability\uff0c\u4f46\u5982\u679c\u4f60\u6709\u5176\u4ed6\u4e0d\u9700\u8981\u7684\u7279\u6743\uff0c\u4e5f\u53ef\u4ee5\u9009\u62e9\u79fb\u9664\u3002
ruri\u9ed8\u8ba4\u4f1a\u5728\u5bb9\u5668\u4e2d\u521b\u5efa/.rurienv\u6765\u7edf\u4e00\u5bb9\u5668\u914d\u7f6e\uff0c\u8fd9\u4efd\u914d\u7f6e\u6587\u4ef6\u901a\u8fc7\u8bbe\u7f6e\u53ea\u8bfb\u5c5e\u6027\uff08immutable\uff09\u548c\u79fb\u9664\u5bb9\u5668\u4fee\u6539\u6b64\u5c5e\u6027\u7684\u7279\u6743\uff08CAP_LINUX_IMMUTABLE\uff09\u6765\u4fdd\u8bc1\u5b89\u5168\uff0c\u5982\u679c\u4f60\u89c9\u5f97\u8fd8\u4e0d\u591f\u5b89\u5168\uff0c\u53ef\u4ee5\u4f7f\u7528-N\u9009\u9879\u7981\u7528\u6b64\u6587\u4ef6\u3002
ruri\u652f\u6301cgroup\u7684memory/cpu/cpuset\u63a7\u5236\u7ec4\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-l\u9009\u9879\u6765\u8bbe\u7f6e\u8fd9\u4e9b\u9650\u5236\u3002
ruri\u652f\u6301\u6302\u8f7d\u5916\u90e8\u6302\u8f7d\u70b9\u4e3a\u53ea\u8bfb\uff0c\u5982\u679c\u4f60\u53ea\u9700\u8981\u8bbf\u95ee\u6587\u4ef6\u800c\u4e0d\u9700\u8981\u4fee\u6539\uff0c\u8bf7\u4f7f\u7528-M\u9009\u9879\u6765\u4ee3\u66ff-m\u9009\u9879\u3002
ruri\u5185\u7f6e\u4e86\u4e00\u4efd\u9ed1\u540d\u5355\u6a21\u5f0fseccomp\u914d\u7f6e\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-s\u9009\u9879\u6765\u5f00\u542f\u5b83\u3002
ruri\u5185\u7f6e\u7684seccomp\u914d\u7f6e\u8db3\u4ee5\u5e94\u5bf9\u5927\u591a\u5a01\u80c1\uff0c\u4f46\u5982\u679c\u4f60\u9700\u8981\u66f4\u6fc0\u8fdb\u7684\u7b56\u7565\uff0c\u53ef\u4ee5\u624b\u52a8\u7f16\u8f91src/seccomp.c\u6765\u5199\u5165\u81ea\u5df1\u7684\u914d\u7f6e\u6587\u4ef6\u3002
"},{"location":"zh/container-security/#_6","title":"\u6fc0\u8fdb\uff1a","text":""},{"location":"zh/container-security/#hidepid","title":"Hidepid:","text":"ruri\u652f\u6301\u4e3a/proc\u8bbe\u7f6ehidepid\u9009\u9879\uff0c\u4f7f\u7528-i 1/2 \u6765\u5f00\u542f\u3002
\u60a8\u53ef\u4ee5\u4f7f\u7528-n\u9009\u9879\u6765\u5f00\u542fNO_NEW_PRIVS,\u5f00\u542f\u540esudo\u7b49\u7a0b\u5e8f\u5c06\u65e0\u6cd5\u8fd0\u884c\u3002
\u60a8\u53ef\u4ee5\u4f7f\u7528-R\u9009\u9879\u6765\u4f7f\u6574\u4e2a\u5bb9\u5668\u6839\u76ee\u5f55\u53ea\u8bfb\u3002\u5f00\u542f\u540e\uff0c/sys\u548c/proc\u4e5f\u5c06\u4e3a\u5b8c\u5168\u53ea\u8bfb\u3002
\u60a8\u53ef\u4ee5\u4f7f\u7528-x\u9009\u9879\u6765\u5b8c\u5168\u7981\u7528\u5bb9\u5668\u7f51\u7edc\uff0c\u8fd9\u9700\u8981NET\u547d\u540d\u7a7a\u95f4\uff0c\u5e76\u4f1a\u81ea\u52a8\u5f00\u542funshare\u3002
ruri\u9ed8\u8ba4\u8fd8\u63d0\u4f9b\u5982\u4e0b\u5b89\u5168\u9632\u62a4\uff1a
ruri\u4e3aarm64, armv7, armhf, riscv64, i386, loong64, s390x, ppc64le\u548cx86_64\u5e73\u53f0\u63d0\u4f9b\u5b98\u65b9\u4e8c\u8fdb\u5236\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u81ea\u52a8\u4e0b\u8f7d\u4e8c\u8fdb\u5236\u4e3a./ruri:
wget -q -O - https://getruri.crack.moe | bash -s -- -s\u83b7\u53d6alpine edge\u955c\u50cf:
wget -q -O - https://getrurima.crack.moe | bash -s -- -s\nsudo ./rurima lxc pull -o alpine -v edge -s ./test rurima r\u5c31\u80fd\u8c03\u7528ruri\u3002 \u6240\u4ee5\u6211\u4eec\u8fd8\u4e0b\u8f7druri\u5e72\u4ec0\u4e48\u5462 "},{"location":"zh/quickstart/#rootfstool","title":"\u4f7f\u7528rootfstool\uff08\u5df2\u5e9f\u5f03\uff09\uff1a","text":"\u83b7\u53d6alpine edge\u955c\u50cf:
git clone https://github.com/Moe-hacker/rootfstool\n./rootfstool/rootfstool download -d alpine -v edge\nmkdir test\nsudo tar -xvf rootfs.tar.xz -C test\nrm rootfs.tar.xzsudo rm test/etc/resolv.conf\necho nameserver 1.1.1.1|sudo tee test/etc/resolv.confsudo ./ruri ./testMade with Material for MkDocs
"},{"location":"en/","title":"Welcome to ruri official wiki","text":""},{"location":"en/#table-of-contents","title":"Table of contents:","text":"Here are several ways to enhance the security of ruri container, kindly read this document before using ruri.
"},{"location":"en/container-security/#regular","title":"Regular:","text":""},{"location":"en/container-security/#run-rootless-container","title":"Run rootless container:","text":"If your device supports user ns, you can install uidmap and use -r option with common user, so that you can avoid using root privileges to run the container.
If you can not run rootless container, there's another choice, add a common user in your container and use -E username to run command as common user instead root. If you don't need any privileges, it's better to enable no_new_privs at the same time.
Ruri will automatically drop unneeded capabilities, but ruri also provides capability control function, you can read capabilities(7) and use -d option to filter out unnecessary capabilities in container.
Ruri will create the file /.rurienv in container, to avoid security issues, this file is immutable and read-only. But you can also disable creating it using -N option.
Ruri supports memory cgroup, you can use -l option to set the limit of memory usage.
Ruri supports unshare, it's recommended to enable this feature for better security. Unshare container will use pivot_root(2) instead chroot(2), so it's more secure.
"},{"location":"en/container-security/#mount-other-mountpoints-as-read-only","title":"Mount other mountpoints as read-only:","text":"Ruri supports using -m option to mount other device/img/dir into container, if you only need read access to the mountpoint, try using -M option to make them read-only.
Ruri has a built-in Seccomp profile, you can enable it by using -s option. If this profile does not fit your needs, you can edit src/seccomp.c and write your own Seccomp rules.
Ruri supports mount /proc with hidepid option, use -i 1/2 to enable it.
Ruri supports enable no_new_privs bit by -n option, after enabling this, command like sudo will be unavailable for common user.
Ruri supports mounting the rootfs of container as read-only by using -R option, this will make all the container read-only.
/dev, /proc and /sys will not be mounted if you enable -j option.
You can use -x option to create a new net ns and disable network for container. This needs net ns and will auto enable unshare.
For /dev, ruri will only create necessary devices on it, so that block devices will always be unavailable in container, and as cap_mknod and cap_sys_admin is dropped by default, you can not escape from ruri container by modifying disk partitions.
"},{"location":"en/container-security/#masked-dirs","title":"Masked dirs:","text":"Ruri will mask some directories with tmpfs in /proc and /sys, this can protect the host to avoid security issues.
"},{"location":"en/container-security/#capabilities_1","title":"Capabilities:","text":"Ruri will drop unneeded capabilities by default, so that it can avoid escaping from container.
"},{"location":"en/quickstart/","title":"Quickstart:","text":""},{"location":"en/quickstart/#get-ruri","title":"Get ruri\uff1a","text":"ruri provides binary for arm64, armv7, armhf, riscv64, i386, loong64, s390x, ppc64le and x86_64 platform\uff0cYou can use the following command to download ruri as ./ruri:
wget -q -O - https://getruri.crack.moe | bash -s -- -sGet alpine edge image:
wget -q -O - https://getrurima.crack.moe | bash -s -- -s\nsudo ./rurima lxc pull -o alpine -v edge -s ./test rurima r instead ruri. "},{"location":"en/quickstart/#use-rootfstooldiscarded","title":"Use rootfstool\uff08Discarded\uff09\uff1a","text":"Get alpine edge image:
git clone https://github.com/Moe-hacker/rootfstool\n./rootfstool/rootfstool download -d alpine -v edge\nmkdir test\nsudo tar -xvf rootfs.tar.xz -C test\nrm rootfs.tar.xzsudo rm test/etc/resolv.conf\necho nameserver 1.1.1.1|sudo tee test/etc/resolv.confsudo ./ruri ./testruri\u63d0\u4f9b\u4e00\u7cfb\u5217\u5b89\u5168\u9009\u9879\uff0c\u4e0b\u9762\u662f\u5b83\u4eec\u7684\u4f7f\u7528\u8bf4\u660e\uff1a
"},{"location":"zh/container-security/#_2","title":"\u65e5\u5e38\uff1a","text":""},{"location":"zh/container-security/#rootless","title":"\u4f7f\u7528rootless\u5bb9\u5668\uff1a","text":"\u5728\u73b0\u4ee3\u7684GNU/Linux\u4e0a\uff0c\u4e00\u822c\u53ea\u8981\u914d\u7f6e\u597d/etc/subuid\u548c/etc/subgid\uff0c\u5b89\u88c5uidmap\uff08shadow\uff09\u5305\uff0c\u5373\u53ef\u4f7f\u7528rotless\u5bb9\u5668\u3002 \u5982\u679c\u4f60\u7684\u8bbe\u5907\u652f\u6301\uff0c\u53ef\u4ee5\u4f7f\u7528-r\u9009\u9879\u6765\u4ee5\u666e\u901a\u7528\u6237\u8fd0\u884c\u65e0\u7279\u6743\u5bb9\u5668\u3002
\u5982\u679c\u4f60\u7684\u8bbe\u5907\u4e0d\u652f\u6301\uff0c\u4f60\u8fd8\u6709\u4e00\u4e2a\u9009\u9879\uff0c\u5728\u5bb9\u5668\u4e2d\u521b\u5efa\u4e00\u4e2a\u666e\u901a\u7528\u6237\uff0c\u5e76\u4f7f\u7528-E username\u9009\u9879\u6765\u4f7f\u7528\u666e\u901a\u7528\u6237\u5728\u5bb9\u5668\u4e2d\u8fd0\u884c\u547d\u4ee4\u3002\u8bf7\u786e\u4fddusername\u5728\u5bb9\u5668\u7684/etc/passwd\u4e2d\u6709\u6b63\u786e\u8bb0\u5f55\u3002 \u5982\u679c\u4f60\u4e0d\u9700\u8981\u4f7f\u7528sudo\uff0c\u53ef\u4ee5\u540c\u65f6\u5f00\u542fno_new_privs\uff08-n\uff09\u9009\u9879\u3002
ruri\u652f\u6301\u9664\u7f51\u7edc\u5916\u7684\u5e38\u7528\u547d\u540d\u7a7a\u95f4\uff08\u7f51\u7edc\u547d\u540d\u7a7a\u95f4\u4ec5\u7528\u4e8e\u7981\u7528\u7f51\u7edc\uff09\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-u\u9009\u9879\u5c1d\u8bd5\u5f00\u542f\u652f\u6301\u7684\u547d\u540d\u7a7a\u95f4\u3002 unshare\u529f\u80fd\u81f3\u5c11\u4f9d\u8d56mount ns\uff0c\u5e76\u4f1a\u9ed8\u8ba4\u4f7f\u7528pivot_root(2)\u6765\u66ff\u4ee3chroot(2)\u6765\u63d0\u4f9b\u66f4\u9ad8\u7684\u5b89\u5168\u6027\u3002
ruri\u652f\u6301Linux\u7684capability\u63a7\u5236\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-d cap/num\u6765\u79fb\u9664\u4e00\u4e2acapability\uff0c-k\u6765\u4fdd\u7559\u3002 ruri\u9ed8\u8ba4\u5df2\u7ecf\u79fb\u9664\u4e86\u5927\u90e8\u5206\u53ef\u80fd\u5371\u5bb3\u5bbf\u4e3b\u673a\u7684capability\uff0c\u4f46\u5982\u679c\u4f60\u6709\u5176\u4ed6\u4e0d\u9700\u8981\u7684\u7279\u6743\uff0c\u4e5f\u53ef\u4ee5\u9009\u62e9\u79fb\u9664\u3002
ruri\u9ed8\u8ba4\u4f1a\u5728\u5bb9\u5668\u4e2d\u521b\u5efa/.rurienv\u6765\u7edf\u4e00\u5bb9\u5668\u914d\u7f6e\uff0c\u8fd9\u4efd\u914d\u7f6e\u6587\u4ef6\u901a\u8fc7\u8bbe\u7f6e\u53ea\u8bfb\u5c5e\u6027\uff08immutable\uff09\u548c\u79fb\u9664\u5bb9\u5668\u4fee\u6539\u6b64\u5c5e\u6027\u7684\u7279\u6743\uff08CAP_LINUX_IMMUTABLE\uff09\u6765\u4fdd\u8bc1\u5b89\u5168\uff0c\u5982\u679c\u4f60\u89c9\u5f97\u8fd8\u4e0d\u591f\u5b89\u5168\uff0c\u53ef\u4ee5\u4f7f\u7528-N\u9009\u9879\u7981\u7528\u6b64\u6587\u4ef6\u3002
ruri\u652f\u6301cgroup\u7684memory/cpu/cpuset\u63a7\u5236\u7ec4\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-l\u9009\u9879\u6765\u8bbe\u7f6e\u8fd9\u4e9b\u9650\u5236\u3002
ruri\u652f\u6301\u6302\u8f7d\u5916\u90e8\u6302\u8f7d\u70b9\u4e3a\u53ea\u8bfb\uff0c\u5982\u679c\u4f60\u53ea\u9700\u8981\u8bbf\u95ee\u6587\u4ef6\u800c\u4e0d\u9700\u8981\u4fee\u6539\uff0c\u8bf7\u4f7f\u7528-M\u9009\u9879\u6765\u4ee3\u66ff-m\u9009\u9879\u3002
ruri\u5185\u7f6e\u4e86\u4e00\u4efd\u9ed1\u540d\u5355\u6a21\u5f0fseccomp\u914d\u7f6e\uff0c\u4f60\u53ef\u4ee5\u4f7f\u7528-s\u9009\u9879\u6765\u5f00\u542f\u5b83\u3002
ruri\u5185\u7f6e\u7684seccomp\u914d\u7f6e\u8db3\u4ee5\u5e94\u5bf9\u5927\u591a\u5a01\u80c1\uff0c\u4f46\u5982\u679c\u4f60\u9700\u8981\u66f4\u6fc0\u8fdb\u7684\u7b56\u7565\uff0c\u53ef\u4ee5\u624b\u52a8\u7f16\u8f91src/seccomp.c\u6765\u5199\u5165\u81ea\u5df1\u7684\u914d\u7f6e\u6587\u4ef6\u3002
"},{"location":"zh/container-security/#_6","title":"\u6fc0\u8fdb\uff1a","text":""},{"location":"zh/container-security/#hidepid","title":"Hidepid:","text":"ruri\u652f\u6301\u4e3a/proc\u8bbe\u7f6ehidepid\u9009\u9879\uff0c\u4f7f\u7528-i 1/2 \u6765\u5f00\u542f\u3002
\u60a8\u53ef\u4ee5\u4f7f\u7528-n\u9009\u9879\u6765\u5f00\u542fNO_NEW_PRIVS,\u5f00\u542f\u540esudo\u7b49\u7a0b\u5e8f\u5c06\u65e0\u6cd5\u8fd0\u884c\u3002
\u60a8\u53ef\u4ee5\u4f7f\u7528-R\u9009\u9879\u6765\u4f7f\u6574\u4e2a\u5bb9\u5668\u6839\u76ee\u5f55\u53ea\u8bfb\u3002\u5f00\u542f\u540e\uff0c/sys\u548c/proc\u4e5f\u5c06\u4e3a\u5b8c\u5168\u53ea\u8bfb\u3002
\u60a8\u53ef\u4ee5\u4f7f\u7528-x\u9009\u9879\u6765\u5b8c\u5168\u7981\u7528\u5bb9\u5668\u7f51\u7edc\uff0c\u8fd9\u9700\u8981NET\u547d\u540d\u7a7a\u95f4\uff0c\u5e76\u4f1a\u81ea\u52a8\u5f00\u542funshare\u3002
ruri\u9ed8\u8ba4\u8fd8\u63d0\u4f9b\u5982\u4e0b\u5b89\u5168\u9632\u62a4\uff1a
ruri\u4e3aarm64, armv7, armhf, riscv64, i386, loong64, s390x, ppc64le\u548cx86_64\u5e73\u53f0\u63d0\u4f9b\u5b98\u65b9\u4e8c\u8fdb\u5236\uff0c\u4f7f\u7528\u4ee5\u4e0b\u547d\u4ee4\u81ea\u52a8\u4e0b\u8f7d\u4e8c\u8fdb\u5236\u4e3a./ruri:
wget -q -O - https://getruri.crack.moe | bash -s -- -s\u83b7\u53d6alpine edge\u955c\u50cf:
wget -q -O - https://getrurima.crack.moe | bash -s -- -s\nsudo ./rurima lxc pull -o alpine -v edge -s ./test rurima r\u5c31\u80fd\u8c03\u7528ruri\u3002 \u6240\u4ee5\u6211\u4eec\u8fd8\u4e0b\u8f7druri\u5e72\u4ec0\u4e48\u5462 "},{"location":"zh/quickstart/#rootfstool","title":"\u4f7f\u7528rootfstool\uff08\u5df2\u5e9f\u5f03\uff09\uff1a","text":"\u83b7\u53d6alpine edge\u955c\u50cf:
git clone https://github.com/Moe-hacker/rootfstool\n./rootfstool/rootfstool download -d alpine -v edge\nmkdir test\nsudo tar -xvf rootfs.tar.xz -C test\nrm rootfs.tar.xzsudo rm test/etc/resolv.conf\necho nameserver 1.1.1.1|sudo tee test/etc/resolv.confsudo ./ruri ./test