问题
Is it possible to disable AppArmor for a particular Docker container? I want to make ptrace accessible so I can attach gdb to a running process but run into the following issue when I want to change the setting:
root@fbf728150308:/gopath# echo 0 > /proc/sys/kernel/yama/ptrace_scope
bash: /proc/sys/kernel/yama/ptrace_scope: Read-only file system
回答1:
AppArmor can be disabled either by running unconfined, or as a privileged container:
--security-opt apparmor=unconfined
(orapparmor:unconfined
for docker 1.10 and below)--privileged
However, a better option is to create a new profile that enables ptrace. You can use the docker AppArmor profile as a starting point (found in /etc/apparmor.d/docker
), and append the ptrace peer=@{profile_name}
.
You will also need to disable seccomp (unless using privileged
), through --security-opt seccomp=unconfined
来源:https://stackoverflow.com/questions/37072468/disable-apparmor-for-docker-for-ptrace-scope