[apparmor] Apparmor on docker container

Jamie Strandboge jamie at canonical.com
Thu Jul 30 13:55:52 UTC 2015

On 07/29/2015 07:35 PM, yathindra dev wrote:
> Hi,
> I'm trying to apply Apparmor profiles to a guest docker container. Apparmor is
> installed on the host. Docker supports loading a Apparmor profile using
> --security-opts=apparmor:profile_name. But is there a way in which we can apply
> apparmor profiles from the host apparmor without having to use --security-opts
> while bringing up the container? And without having to install apparmor inside
> the guest container.
You didn't mention what host OS you are using, but by default the docker daemon
will create and load a 'docker-default' profile (/etc/apparmor.d/docker) and
will run containers under this profile. Only if you create your own profiles do
you need to use --security-opts=apparmor:profile_name. You can verify this by
running a container and then observing 'ps Z' or 'aa-status' output. If
containers are not being launched under the docker-default profile, your system
and or docker may be configured to not use apparmor. You do not have to install
docker inside the guest container.

Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20150730/08f720bd/attachment.pgp>

More information about the AppArmor mailing list