toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c2377d79c5e98ddd38aa68993365e7c76d2bbd60
docker-cli/components/engine/docs/security/apparmor.md
Jessica Frazelle 59f2aefefe remove docker-unconfined profile we were not using it and it breaks apparmor on wheezy 
Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Upstream-commit: e542238f2a4ba9d77bf8ebc77e319dd6b321925f
Component: engine
2015-08-06 16:51:01 -07:00

42 lines
1.4 KiB
Markdown
Raw Blame History

AppArmor security profiles for Docker
--------------------------------------
AppArmor (Application Armor) is a security module that allows a system
administrator to associate a security profile with each program. Docker
expects to find an AppArmor policy loaded and enforced.
Container profiles are loaded automatically by Docker. A profile
for the Docker Engine itself also exists and is installed
with the official *.deb* packages. Advanced users and package
managers may find the profile for */usr/bin/docker* underneath
[contrib/apparmor](https://github.com/docker/docker/tree/master/contrib/apparmor)
in the Docker Engine source repository.
Understand the policies
------------------------
The `docker-default` profile the default for running
containers. It is moderately protective while
providing wide application compatability.
The system's standard `unconfined` profile inherits all
system-wide policies, applying path-based policies
intended for the host system inside of containers.
This was the default for privileged containers
prior to Docker 1.8.
Overriding the profile for a container
---------------------------------------
Users may override the AppArmor profile using the
`security-opt` option (per-container).
For example, the following explicitly specifies the default policy:
```
$ docker run --rm -it --security-opt apparmor:docker-default hello-world
```
Reference in New Issue View Git Blame Copy Permalink