Ubuntu – Contain Docker Engine with AppArmor

14.04apparmordockerSecurity

In face of the reminders that the Docker Engine should be run contained with AppArmor or SELinux, how to run Docker under AppArmor on Ubuntu 14.04?

The Docker Security documentation and the LXC documentation mention that Ubuntu comes with AppArmor templates for LXC. What has to be done to take advantage of that?

Assuming a default Ubuntu Server 14.04 host, and Docker installed with curl -s https://get.docker.io/ubuntu/ | sudo sh, what has to be done next so that when running a container, the Docker Engine itself will be contained under AppArmor?

Best Answer

Well, this is a problem with using packages from outside the Ubuntu repositories. You will need to either ask the Docker Engine Developers to write an apparmor profile for you or write your own. Same with a selinux profile.

Now here is where you will start to get options, should you use or not use LXC, apparmor, selinux, etc.

For example, the Docker developers feel you need to update - http://blog.docker.com/ and that is certainly one way to manage the situation.

Apparmor and selinux protect you (potentially) from zero day exploits, but exploits are fixed via updates.

The advantage of apparmor is that it is easier to learn. The disadvantage is that you have to write you own profile.

See the apparmor documentation

https://help.ubuntu.com/community/AppArmor#Profile_customization

https://wiki.ubuntu.com/AppArmor

or, for a practical example, using a rather simple program, see http://blog.bodhizazen.com/linux/apparmor-privoxy-profile/

As long as we are on opinions ...

RHEL and Fedora are a bit ahead of the curve compared to Ubuntu in terms of Virtualization. RHEL is working with Docker to provide support, including selinux

http://www.redhat.com/about/news/press-archive/2014/4/red-hat-docker-expand-collaboration

I am not sure about Fedora and Docker, but Fedora uses selinux and virtmanager to manage LXC - http://major.io/2014/04/21/launch-secure-lxc-containers-on-fedora-20-using-selinux-and-svirt/

At the end of the day, you will have to review the opinions and go with the solution that works best for you.

Related Solutions

Is It a Bad Idea to Run SELinux and AppArmor at the Same Time?

The Linux Kernel provides the Linux Security Module interface, of which SELinux and AppArmor are both implementations of. (Others include TOMOYO, Smack, ...) This interface is designed currently to only allow a single LSM to be operational at a time. There is no way to run two simultaneously, so you must choose one. There has been discussion from time-to-time about how to "stack" multiple LSMs, but this has not been done yet.

Ubuntu – Don’t run this as Root! – Docker Image

You can use the USER command to change the user commands are run as. Of course you need to create the user first, so your Dockerfile would contain something like this:

RUN useradd --system -s /sbin/nologin someuser

USER someuser

Best Answer

Related Solutions

Is It a Bad Idea to Run SELinux and AppArmor at the Same Time?

Ubuntu – Don’t run this as Root! – Docker Image

Related Question