-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docker service create "--security-opt" option #41371
Comments
For a purpose like accessing cloud storage via rclone, security_opt apparmor:unconfined is necessary. |
In our Docker Swarm cluster, we need to load custom AppArmor profiles for Swarm services. |
We are in the same situation as @mhemrg - we need custom AppArmor profile. |
I'm working on a project which requires support to set the seccomp profile using a custom seccomp profile json file for Swarm services, and would love that option to be added. |
We'd need to set no_new_privileges in swarm mode. |
I actually need It actually produces AppArmor DENIED logs continuously and can be fixed in k8s with custom AppArmor profile (DataDog/datadog-agent#6915) |
Any updates on when |
Still no updates? Would simply be nice to know if this issue is in the scope of someone or if the statement is that the use of apparmor (for example) together with docker in swarm mode is not supported and won't be in the near future. |
Still looking for |
Imagine running Docker Swarm with SELinux enabled and container policy in use happily. Suddenly you are in need to allow a single service to access the Docker socket! It could be some CI worker based on Docker or perhaps some Docker Swarm orchestrator your customer requested or whatever else... Now, how to do it without breaking the overall Docker security? Of course, one would just tune the SELinux a bit for the certain service, but... Imagine that you were so desperate that you tainted the SELinux policy with custom module allowing the container's SELinux type to access the type of the Docker socket and allowing it to connect to and write to the socket in the end. That's definitely not the right way to do it because the moment you effectively ruined overall Docker security! But this sort of things must have been happening all the time! Poor, desperate sysadmin! Just read the blogs out there. How many Docker Swarm instances are running with such dangerous hacks in use? Are all those people who already did so really supposed to write some post-mortem blog posts one day? Imagine you at least told us how to do such things the right (meaning documented and reproducible) way in Docker Swarm for now first. Do not force us to use any sort of undefined, unsupported or insecure hacks to achieve what's otherwise pretty common and normal for most of the system administrators anymore! Let us setup security-related things in a sane way again. Let us take full control of our systems again! Provide us with full and well-granulated support for SELinux, AppArmor, Linux capabilities etc. - for both the compose file and service commands. I would also suggest to cooperate more closely with the SELinux policy developers and other experts too. Imagine... services:
my_service:
image: my_image
security:
selinux:
user: my_user_u
role: my_role_r
type: my_type_t
range: s0:c1,c0
capabilities:
- CAP_NET_ADMIN There are lot of discussions about lacking these basic security features for Docker compose for a long time... Is this state of the things going to stay forever? 👎 |
The same! |
+1 it's also required to run netdata as service as per netdata/netdata#11933 |
+1 Needed to run Podman in Docker Swarm |
Any updates now? |
Options for AppArmor and Seccomp options were added in SwarmKit's API; I need to check with @dperny if those options are wired up everywhere though |
Hey @thaJeztah and @dperny, any news on this ? It does not seem to be release yet. |
Ok. I saw that #46386 has been merged into Docker 25 but still doesn't seem usable at the moment. What is missing to make it usable? |
edit: io_uring is not on the allow list yet |
There is a --security-opt flag in docker run, Will there be support for a similar option in docker service create?
The text was updated successfully, but these errors were encountered: