Fatskills
Practice. Master. Repeat.
Study Guide: Docker Docker Security Seccomp and AppArmor Profiles
Source: https://www.fatskills.com/kubernetes/chapter/docker-docker-security-seccomp-and-apparmor-profiles

Docker Docker Security Seccomp and AppArmor Profiles

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~3 min read

1. Core Command / Concept

Seccomp and AppArmor Profiles restrict container processes to prevent privilege escalation and improve security. Use the --security-opt flag to specify profiles.

2. Step-by-Step

  1. Create a new Dockerfile with a simple "hello world" application.
    ```bash echo "FROM alpine:latest" > Dockerfile echo "RUN echo 'Hello World'" >> Dockerfile
2. Build the Docker image.
```bash docker build -t myimage .
  1. Run the container with the default security settings.
    ```bash docker run -it --rm myimage
4. ⚠️ Delete all stopped containers.
```bash docker container prune
  1. Create a new Dockerfile with the --security-opt flag to specify a Seccomp profile.
    ```bash echo "FROM alpine:latest" > Dockerfile echo "RUN echo 'Hello World'" >> Dockerfile echo "security-opt seccomp:unconfined" >> Dockerfile
6. Build the Docker image with the Seccomp profile.
```bash docker build -t myimage .
  1. Run the container with the Seccomp profile.
    ```bash docker run -it --rm --security-opt seccomp:unconfined myimage
8. Create a new Dockerfile with the `--security-opt` flag to specify an AppArmor profile.
```bash echo "FROM alpine:latest" > Dockerfile echo "RUN echo 'Hello World'" >> Dockerfile echo "security-opt apparmor:unconfined" >> Dockerfile
  1. Build the Docker image with the AppArmor profile.
    ```bash docker build -t myimage .
10. Run the container with the AppArmor profile.
```bash docker run -it --rm --security-opt apparmor:unconfined myimage

3. Real Commands with Examples


Example 1: Seccomp Profile

Purpose: Restrict container processes to prevent privilege escalation.
Command: docker run -it --rm --security-opt seccomp:unconfined myimage Flags: --security-opt seccomp:unconfined specifies the Seccomp profile.

Example 2: AppArmor Profile

Purpose: Restrict container processes to prevent privilege escalation.
Command: docker run -it --rm --security-opt apparmor:unconfined myimage Flags: --security-opt apparmor:unconfined specifies the AppArmor profile.

Example 3: Custom Seccomp Profile

Purpose: Restrict container processes to prevent privilege escalation using a custom Seccomp profile.
Command: docker run -it --rm --security-opt seccomp=/path/to/custom/seccomp.json myimage Flags: --security-opt seccomp=/path/to/custom/seccomp.json specifies the custom Seccomp profile.

4. Common Errors


Error 1: Unknown Seccomp Profile

Error message: Error: Unknown seccomp profile: unconfined Why it happens: The Seccomp profile is not recognized by Docker.
One-line fix: docker run -it --rm --security-opt seccomp:default myimage

Error 2: Unknown AppArmor Profile

Error message: Error: Unknown apparmor profile: unconfined Why it happens: The AppArmor profile is not recognized by Docker.
One-line fix: docker run -it --rm --security-opt apparmor:runtime/default myimage

Error 3: Seccomp Profile Not Found

Error message: Error: Seccomp profile not found: /path/to/custom/seccomp.json Why it happens: The custom Seccomp profile is not found.
One-line fix: docker run -it --rm --security-opt seccomp=/path/to/default/seccomp.json myimage

5. Quick Checks


Scenario 1: Check Seccomp Profile

Situation: You want to check the Seccomp profile used by a container.
Command: docker inspect --format='{{.Config.SecurityOpt}}' myimage Correct response: seccomp:unconfined

Scenario 2: Check AppArmor Profile

Situation: You want to check the AppArmor profile used by a container.
Command: docker inspect --format='{{.Config.SecurityOpt}}' myimage Correct response: apparmor:unconfined

Scenario 3: Check Security Options

Situation: You want to check the security options used by a container.
Command: docker inspect --format='{{.Config.SecurityOpt}}' myimage Correct response: seccomp:unconfined apparmor:unconfined

6. Last-Minute Reference

  • ⚠️ Seccomp profiles must be in JSON format.
  • ⚠️ AppArmor profiles must be in profile format.
  • Seccomp profiles can be specified using the --security-opt flag.
  • AppArmor profiles can be specified using the --security-opt flag.
  • Docker supports multiple security profiles.
  • Docker supports custom security profiles.
  • Docker supports default security profiles.
  • Docker supports runtime security profiles.
  • Docker supports profile-based security.
  • Docker supports JSON-based security profiles.
  • Docker supports profile-based security options.


ADVERTISEMENT