docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1877 from scjane/patch-38 

Update apparmor.md
This commit is contained in:
Misty Stanley-Jones 2017-03-01 14:26:37 -08:00 committed by GitHub
parent a3b95e3f0c 39eb8edf8a
commit 9122e75ca5
1 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
engine/security/apparmor.md
View File

@ -155,48 +155,48 @@ profile docker-nginx flags=(attach_disconnected,mediate_deleted) {
1. Save the custom profile to disk in the 1. Save the custom profile to disk in the
`/etc/apparmor.d/containers/docker-nginx` file. `/etc/apparmor.d/containers/docker-nginx` file.
The file path in this example is not a requirement. In production, you could The file path in this example is not a requirement. In production, you could
use another. use another.
2. Load the profile. 2. Load the profile.
```bash ```bash
$ sudo apparmor_parser -r -W /etc/apparmor.d/containers/docker-nginx $ sudo apparmor_parser -r -W /etc/apparmor.d/containers/docker-nginx
``` ```
3. Run a container with the profile. 3. Run a container with the profile.
To run nginx in detached mode: To run nginx in detached mode:
```bash ```bash
$ docker run --security-opt "apparmor=docker-nginx" \ $ docker run --security-opt "apparmor=docker-nginx" \
-p 80:80 -d --name apparmor-nginx nginx -p 80:80 -d --name apparmor-nginx nginx
``` ```
4. Exec into the running container 4. Exec into the running container.
```bash ```bash
$ docker exec -it apparmor-nginx bash $ docker exec -it apparmor-nginx bash
``` ```
5. Try some operations to test the profile. 5. Try some operations to test the profile.
```bash ```bash
root@6da5a2a930b9:~# ping 8.8.8.8 root@6da5a2a930b9:~# ping 8.8.8.8
ping: Lacking privilege for raw socket. ping: Lacking privilege for raw socket.
root@6da5a2a930b9:/# top root@6da5a2a930b9:/# top
bash: /usr/bin/top: Permission denied bash: /usr/bin/top: Permission denied
root@6da5a2a930b9:~# touch ~/thing root@6da5a2a930b9:~# touch ~/thing
touch: cannot touch 'thing': Permission denied touch: cannot touch 'thing': Permission denied
root@6da5a2a930b9:/# sh root@6da5a2a930b9:/# sh
bash: /bin/sh: Permission denied bash: /bin/sh: Permission denied
root@6da5a2a930b9:/# dash root@6da5a2a930b9:/# dash
bash: /bin/dash: Permission denied bash: /bin/dash: Permission denied
``` ```
Congrats! You just deployed a container secured with a custom apparmor profile! Congrats! You just deployed a container secured with a custom apparmor profile!