Contain Docker Engine with AppArmor
Well, this is a problem with using packages from outside the Ubuntu repositories. You will need to either ask the Docker Engine Developers to write an apparmor profile for you or write your own. Same with a selinux profile.
Now here is where you will start to get options, should you use or not use LXC, apparmor, selinux, etc.
For example, the Docker developers feel you need to update - http://blog.docker.com/ and that is certainly one way to manage the situation.
Apparmor and selinux protect you (potentially) from zero day exploits, but exploits are fixed via updates.
The advantage of apparmor is that it is easier to learn. The disadvantage is that you have to write you own profile.
See the apparmor documentation
https://help.ubuntu.com/community/AppArmor#Profile_customization
https://wiki.ubuntu.com/AppArmor
or, for a practical example, using a rather simple program, see http://blog.bodhizazen.com/linux/apparmor-privoxy-profile/
As long as we are on opinions ...
RHEL and Fedora are a bit ahead of the curve compared to Ubuntu in terms of Virtualization. RHEL is working with Docker to provide support, including selinux
http://www.redhat.com/about/news/press-archive/2014/4/red-hat-docker-expand-collaboration
I am not sure about Fedora and Docker, but Fedora uses selinux and virtmanager to manage LXC - http://major.io/2014/04/21/launch-secure-lxc-containers-on-fedora-20-using-selinux-and-svirt/
At the end of the day, you will have to review the opinions and go with the solution that works best for you.
Fernando Correia
Principal software engineer at Domino Data Lab.
Updated on September 18, 2022Comments
-
Fernando Correia over 1 year
In face of the reminders that the Docker Engine should be run contained with AppArmor or SELinux, how to run Docker under AppArmor on Ubuntu 14.04?
The Docker Security documentation and the LXC documentation mention that Ubuntu comes with AppArmor templates for LXC. What has to be done to take advantage of that?
Assuming a default Ubuntu Server 14.04 host, and Docker installed with
curl -s https://get.docker.io/ubuntu/ | sudo sh
, what has to be done next so that when running a container, the Docker Engine itself will be contained under AppArmor? -
Fernando Correia almost 10 yearsThanks for the informative answer. I gather that Ubuntu's default LXC AppArmor profile doesn't apply to Docker's latest version (1.0) and that one must create a custom profile. I believe that other people will look for a standard profile for Docker 1.0 on Ubuntu 14.04, so I'll leave the question open in the hope that in the future someone will develop and share one. Also, thanks for the suggestion of RedHat and SELinux as alternatives.
-
Panther almost 10 yearsIt should not be too difficult to use the default LXC apparmor profile as a template and debug.