-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker engine does not support the parameter "--security-opt seccomp=" when executing command "docker build" #34454
Comments
@cpuguy83 help…… |
Because the only security-opt that's supported on build is Windows specific (credentialspec) |
@cpuguy83 I have a problem that I need the specific seccomp profile when executing docker build to prevent system vulnerability, such as CVE-2017-7533. I need to disable |
@cason you can supply a custom default profile to the daemon.
`--secomp-profile /path/to/profile.json'
…On Tue, Aug 8, 2017 at 10:31 PM, cason ***@***.***> wrote:
@cpuguy83 <https://github.com/cpuguy83> I have a problem that I need the
specific seccomp profile when executing docker build to prevent system
vulnerability, such as CVE-2017-7533. I need to disable inotify_init and
inotify_init1 syscall, and how can i do that?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#34454 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAwxZs5HQIFBXsyUJDUJS_O9dGY5y9-kks5sWRn_gaJpZM4OxfBP>
.
--
- Brian Goff
|
@cpuguy83 OK. Thank you…… |
@CasonChan The builder is a bit touchy in that we don't want the builder to be able to produce non-portable images. Allowing full access to |
Looks like this question is answered, so closing this issue |
I'm trying to build a docker image for centos:7 that restricts system commands which any user (including root) can execute inside a docker machine. My intention is that I want to build an docker image with security profile that I need and then use that as my base image to build other application images thereby inheriting security profile from the base image. Is this doable? Am I missing something?
Output of docker version: Server: Output of docker info: |
@cpuguy83 This is a lot moot as most people would see that error and simply change their dockerfile to: FROM scratch
ADD image.tar.gz /
CMD ["whatever"] |
@cpuguy83 How?
And what is the equivalent of This is getting ridiculous, I am just trying to update a recent ubuntu via |
It's an option on the daemon, so needs to be set either in the systemd unit file, or in the but doing so will disable seccomp for all containers and I don't think the option currently passed through to
The daemon currently does not support the "named" profiles (and thus, doesn't accept
What version of |
I fail to see how this is an image portability issue. Analogously, why would you need the same privileges to build a system as to run a process on that system? What do you do in environments where container developers have to have some kind of restrictions set? You can do this using an AuthZ plugin, or supposedly that was the intent. You can say, Basically, you have two options:
You can require containers to run as non-root. But how would you prevent a container from running the I mean, you can use user namespaces, but those are clunky and difficult to manage on a multi-host system. Why use a client/server model, if there's so little support for actually restricting access? |
As I understand it this class of errors comes about because docker (slightly) mis-uses host system security filters. Because Neither This will have the effect that later versions of |
There's two/three related, but distinct issues discussed in this ticket;
For the last one ( For
|
--seccomp-profile |
Description
Steps to reproduce the issue:
You can execute the command "docker build", and append the parameter "--security-opt seccomp=[SECCOMP PROFILE]" in the Linux or macOS system.
Describe the results you received:
Thus it emits the following error message:
Error response from daemon: the daemon on this platform does not support --security-opt to build
Describe the results you expected:
The command "docker build" can support the parameter "--security-opt seccomp=" when building docker image from Dockerfile in the macOS or Linux system.
Additional information you deem important (e.g. issue happens only occasionally):
Otherwise, I saw the docker engine source code (v17.06), and it has been set the SecurityOpt in HostConfig when executing RUN instruction. However, why should check the runtime OS type, and it must be windows platform in the newImageBuildOptions method?
The code is:
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
The text was updated successfully, but these errors were encountered: