问题描述

是否可以为特定的Docker容器禁用AppArmor?我想使ptrace可以访问，因此我可以将gdb附加到正在运行的进程中，但是当我想更改设置时遇到以下问题:

Is it possible to disable AppArmor for a particular Docker container? I want to make ptrace accessible so I can attach gdb to a running process but run into the following issue when I want to change the setting:

root@fbf728150308:/gopath# echo 0 > /proc/sys/kernel/yama/ptrace_scope
bash: /proc/sys/kernel/yama/ptrace_scope: Read-only file system

推荐答案

可以通过无限制运行或作为特权容器禁用AppArmor:

AppArmor can be disabled either by running unconfined, or as a privileged container:

• --security-opt apparmor=unconfined(对于docker 1.10及更低版本，则为apparmor:unconfined)
• --privileged

• --security-opt apparmor=unconfined (or apparmor:unconfined for docker 1.10 and below)
• --privileged

但是，更好的选择是创建一个启用ptrace的新配置文件.您可以使用Docker AppArmor配置文件作为起点(在/etc/apparmor.d/docker中找到)，并附加ptrace peer=@{profile_name}.

However, a better option is to create a new profile that enables ptrace. You can use the docker AppArmor profile as a starting point (found in /etc/apparmor.d/docker), and append the ptrace peer=@{profile_name}.

您还需要通过--security-opt seccomp=unconfined

这篇关于禁用Docker的AppArmor for ptrace_scope的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！