Contain Docker Engine with AppArmor

14.04 security apparmor docker
6,637

Well, this is a problem with using packages from outside the Ubuntu repositories. You will need to either ask the Docker Engine Developers to write an apparmor profile for you or write your own. Same with a selinux profile.

Now here is where you will start to get options, should you use or not use LXC, apparmor, selinux, etc.

For example, the Docker developers feel you need to update - http://blog.docker.com/ and that is certainly one way to manage the situation.

Apparmor and selinux protect you (potentially) from zero day exploits, but exploits are fixed via updates.

The advantage of apparmor is that it is easier to learn. The disadvantage is that you have to write you own profile.

See the apparmor documentation

https://help.ubuntu.com/community/AppArmor#Profile_customization

https://wiki.ubuntu.com/AppArmor

or, for a practical example, using a rather simple program, see http://blog.bodhizazen.com/linux/apparmor-privoxy-profile/

As long as we are on opinions ...

RHEL and Fedora are a bit ahead of the curve compared to Ubuntu in terms of Virtualization. RHEL is working with Docker to provide support, including selinux

http://www.redhat.com/about/news/press-archive/2014/4/red-hat-docker-expand-collaboration

I am not sure about Fedora and Docker, but Fedora uses selinux and virtmanager to manage LXC - http://major.io/2014/04/21/launch-secure-lxc-containers-on-fedora-20-using-selinux-and-svirt/

At the end of the day, you will have to review the opinions and go with the solution that works best for you.

Share:
6,637
Fernando Correia
Author by

Fernando Correia

Principal software engineer at Domino Data Lab.

Updated on September 18, 2022

Comments

  • Fernando Correia
    Fernando Correia over 1 year

    In face of the reminders that the Docker Engine should be run contained with AppArmor or SELinux, how to run Docker under AppArmor on Ubuntu 14.04?

    The Docker Security documentation and the LXC documentation mention that Ubuntu comes with AppArmor templates for LXC. What has to be done to take advantage of that?

    Assuming a default Ubuntu Server 14.04 host, and Docker installed with curl -s https://get.docker.io/ubuntu/ | sudo sh, what has to be done next so that when running a container, the Docker Engine itself will be contained under AppArmor?

  • Fernando Correia
    Fernando Correia almost 10 years
    Thanks for the informative answer. I gather that Ubuntu's default LXC AppArmor profile doesn't apply to Docker's latest version (1.0) and that one must create a custom profile. I believe that other people will look for a standard profile for Docker 1.0 on Ubuntu 14.04, so I'll leave the question open in the hope that in the future someone will develop and share one. Also, thanks for the suggestion of RedHat and SELinux as alternatives.
  • Panther
    Panther almost 10 years
    It should not be too difficult to use the default LXC apparmor profile as a template and debug.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Securing a Docker container with HTTP BASIC AUTH
Execute host commands from within a docker container
Mysql on Ubuntu 14.04 problem with AppArmor permissions for data directory
Encrypt Decrypt using Dnscrypt on Ubuntu
How to upgrade docker server version?
need to check if my ubuntu 14.10 has been hacked
How to fix apparmor="DENIED" for telepathy-mission-control-5 under Ubuntu 14.04?
Where do I get the AppArmor 2.4 compatibility patch?
AppArmor audit logs ... what does this mean?
unable to install vim on docker's ubuntu container