Docker Desktop: Difference between revisions

Line 129:

A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system.

== Seccomp security profiles for Docker ==

Secure computing mode (<code>seccomp</code>) is a Linux kernel feature. You can use it to restrict the actions available within the container. The <code>seccomp()</code> system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.<ref>https://docs.docker.com/engine/security/seccomp/</ref>

This feature is available only if Docker has been built with <code>seccomp</code> and the kernel is configured with <code>CONFIG_SECCOMP</code> enabled. To check if your kernel supports <code>seccomp</code>, grep through your boot configuration file such as <code>/boot/config-6.8.0-51-generic</code>

<code>$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)</code>

(output should show CONFIG_SECCOMP=y)

The default seccomp profile for Docker Desktop is in the '''Moby''' project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

You can show your current profile with

<code>docker info --format '<nowiki>{{ .SecurityOptions }}</nowiki>'</code>

Mine shows <tt>[name=seccomp,profile=unconfined name=cgroupns]</tt>

When starting Docker Daemon, you can pass it an option for the profile to use: <code>dockerd --seccomp-profile <path_to_seccomp_profile></code> <ref>https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile</ref>

[[Category:Virtualization]]

[[Category:DevOps]]

[[Category:Kubernetes]]

@@ Line 129: / Line 129: @@
 A lot of people on the internet will tell you the solution is to turn off the security feature. That is the wrong approach. That approach is reminiscent of the people who disable RedHat's SELinux (Security Enhanced Linux) because it's too hard to learn to use the security features or simply do not care about operating a secure system.
+== Seccomp security profiles for Docker ==
+Secure computing mode (<code>seccomp</code>) is a Linux kernel feature. You can use it to restrict the actions available within the container. The <code>seccomp()</code> system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.<ref>https://docs.docker.com/engine/security/seccomp/</ref>
+This feature is available only if Docker has been built with <code>seccomp</code> and the kernel is configured with <code>CONFIG_SECCOMP</code> enabled. To check if your kernel supports <code>seccomp</code>, grep through your boot configuration file such as <code>/boot/config-6.8.0-51-generic</code>
+ <code>$ grep CONFIG_SECCOMP= /boot/config-$(uname -r)</code>
+(output should show CONFIG_SECCOMP=y)
+The default seccomp profile for Docker Desktop is in the '''Moby''' project https://github.com/moby/moby/blob/master/profiles/seccomp/default.json
+You can show your current profile with
+<code>docker info --format '<nowiki>{{ .SecurityOptions }}</nowiki>'</code>
+Mine shows <tt>[name=seccomp,profile=unconfined name=cgroupns]</tt>
+When starting Docker Daemon, you can pass it an option for the profile to use: <code>dockerd --seccomp-profile <path_to_seccomp_profile></code> <ref>https://stackoverflow.com/questions/77001300/warning-daemon-is-not-using-the-default-seccomp-profile</ref>
 {{References}}
 [[Category:Virtualization]]
 [[Category:DevOps]]
 [[Category:Kubernetes]]