Docker Desktop: Difference between revisions

(3 intermediate revisions by the same user not shown)

Line 1:

~~(Intro needed about~~ [[Docker]] Desktop)

'''[[Docker]]''' '''Desktop''' is a convenient GUI application to manage the Docker Engine on your host operating system.

Because starting Docker Desktop will automatically set the context in use, you probably need to start Docker Desktop in order to get the correct behavior out of your docker setup on a Linux workstation rather than having a systemwide docker-ce install also.

If you want to run Docker Engine in 'rootless' mode, see the [https://rootlesscontaine.rs/getting-started/docker/ Rootless Containers project] and don't use Docker Desktop (or at least know when and how to use each separately.)

Meanwhile, [[Minikube]], which is for [[Kubernetes]], has sections for both 'regular' and 'rootless' docker [https://minikube.sigs.k8s.io/docs/drivers/docker/#Rootless%20Docker in their docs]

== Docker Desktop not working on Ubuntu 24.04 ==

Line 129:

Line 135:

A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system.

== Seccomp security profiles for Docker ==

Secure computing mode (<code>seccomp</code>) is a Linux kernel feature. You can use it to restrict the actions available within the container. The <code>seccomp()</code> system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.<ref>https://docs.docker.com/engine/security/seccomp/</ref>

This feature is available only if Docker has been built with <code>seccomp</code> and the kernel is configured with <code>CONFIG_SECCOMP</code> enabled. To check if your kernel supports <code>seccomp</code>, grep through your boot configuration file such as <code>/boot/config-6.8.0-51-generic</code>

<code>$ grep CONFIG_SECCOMP /boot/config-$(uname -r)</code>

(output should show CONFIG_SECCOMP=y)

The default seccomp profile for Docker Desktop is in the '''Moby''' project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

You can show your current profile with

<code>docker info --format '<nowiki>{{ .SecurityOptions }}</nowiki>'</code>

Mine shows <tt>[name=seccomp,profile=unconfined name=cgroupns]</tt>

When starting Docker Daemon, you can pass it an option for the profile to use: <code>dockerd --seccomp-profile <path_to_seccomp_profile></code> <ref>https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile</ref>

[[Category:Virtualization]]

[[Category:DevOps]]

[[Category:Kubernetes]]

@@ Line 1: / Line 1: @@
-(Intro needed about [[Docker]] Desktop)
+'''[[Docker]]''' '''Desktop''' is a convenient GUI application to manage the Docker Engine on your host operating system.
+Because starting Docker Desktop will automatically set the context in use, you probably need to start Docker Desktop in order to get the correct behavior out of your docker setup on a Linux workstation rather than having a systemwide docker-ce install also.
+If you want to run Docker Engine in 'rootless' mode, see the [https://rootlesscontaine.rs/getting-started/docker/ Rootless Containers project] and don't use Docker Desktop (or at least know when and how to use each separately.)
+Meanwhile, [[Minikube]], which is for [[Kubernetes]], has sections for both 'regular' and 'rootless' docker [https://minikube.sigs.k8s.io/docs/drivers/docker/#Rootless%20Docker in their docs]
 == Docker Desktop not working on Ubuntu 24.04 ==
@@ Line 129: / Line 135: @@
 A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system.
+== Seccomp security profiles for Docker ==
+Secure computing mode (<code>seccomp</code>) is a Linux kernel feature. You can use it to restrict the actions available within the container. The <code>seccomp()</code> system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.<ref>https://docs.docker.com/engine/security/seccomp/</ref>
+This feature is available only if Docker has been built with <code>seccomp</code> and the kernel is configured with <code>CONFIG_SECCOMP</code> enabled. To check if your kernel supports <code>seccomp</code>, grep through your boot configuration file such as <code>/boot/config-6.8.0-51-generic</code>
+ <code>$ grep CONFIG_SECCOMP /boot/config-$(uname -r)</code>
+(output should show CONFIG_SECCOMP=y)
+The default seccomp profile for Docker Desktop is in the '''Moby''' project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
+You can show your current profile with
+<code>docker info --format '<nowiki>{{ .SecurityOptions }}</nowiki>'</code>
+Mine shows <tt>[name=seccomp,profile=unconfined name=cgroupns]</tt>
+When starting Docker Daemon, you can pass it an option for the profile to use: <code>dockerd --seccomp-profile <path_to_seccomp_profile></code> <ref>https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile</ref>
 {{References}}
 [[Category:Virtualization]]
 [[Category:DevOps]]
 [[Category:Kubernetes]]