-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dockerd: add --print-default-{seccomp,apparmor} profile #39923
Conversation
@justincormack @thaJeztah PTAL? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, thought I left a comment already, but apparently forgot 😞
Wondering if we should add flags for these, or if we should log the profiles when (re)loading the configuration; same as I did in #36019 (8378dcf), that way both systemctl service reload docker
(or (I think)) sending a SIGHUP
would print the active configuration and profiles in the logs
Guess it's slightly more complicate for the AppArmor profile to log it (the seccomp profile is JSON so easier to log) 🤔 |
The latter approach almost doesn't work for scripting |
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
f28e9c4
to
125a23a
Compare
True; basically trying to prevent adding a lot of flags if there's no real need; reading the related ticket; the main reason is to have the possibility to audit what's loaded. I'm not sure if scripting is involved in that, or if that's manually reading the profile (having the profile logged on startup, reload / If a file is needed with the profiles, we could consider doing the same as we do for the stack dumps, and write it to a file Lines 18 to 25 in 8e610b2
|
No, the main reason (to me) is to facilitate people to write custom profiles by modifying the default template: docker/for-linux#788 |
This seems fine, but an API endpoint (e.g. perhaps something like |
@thaJeztah API endpoint SGTY? |
ping @thaJeztah |
@thaJeztah WDYT about #39923 (comment) ? Also curious whether this should be under |
@cpuguy83 this would be nice to have in v21.x |
if printDefaultSeccompProfile && printDefaultApparmorProfile { | ||
return errors.New("conflicting flag: --print-default-seccomp-profile and --print-default-apparmor-profile") | ||
} | ||
if printDefaultSeccompProfile { | ||
return daemon.PrintDefaultSeccompProfile(cmd.OutOrStdout()) | ||
} | ||
if printDefaultApparmorProfile { | ||
return daemon.PrintDefaultAppArmorProfile(cmd.OutOrStdout()) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given that these cannot be combined, should we have a single flag that takes an option? Something like;
--print-default-profile=<seccomp|apparmor>
or (removing -default
from the flag name)
--print-profile=<seccomp|apparmor>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could also be the reverse, and make it --print-defaults
(so that we could, e.g. use it to print other defaults that are configured, such as dns
, ulimit
, etc)
As to
I think that would be useful to have (but will be a bigger change obviously); not sure if that endpoint should always print everything, or have options to provide more granular information (to avoid getting in the same situation as we have with the |
Should we implement |
@AkihiroSuda works for me; I just left another comment, thinking about naming it |
|
@AkihiroSuda I just recalled this PR was still pending; looks like it needs a rebase 😬 - could you have a look? |
We may have multiple built-in profiles (#42441), so this PR will probably needs to be redesigned |
Signed-off-by: Akihiro Suda akihiro.suda.cz@hco.ntt.co.jp
- What I did
added
--print-default-{seccomp,apparmor} profile
todockerd
, so that the user can inspect the default configurationFix #33060
- How to verify it
- Description for the changelog
dockerd: add --dump-default-{seccomp,apparmor} profile
- A picture of a cute animal (not mandatory but encouraged)
🐧