Disable AppArmor for Docker for ptrace_scope

爱⌒轻易说出口 提交于 2020-04-13 10:26:15

问题


Is it possible to disable AppArmor for a particular Docker container? I want to make ptrace accessible so I can attach gdb to a running process but run into the following issue when I want to change the setting:

root@fbf728150308:/gopath# echo 0 > /proc/sys/kernel/yama/ptrace_scope
bash: /proc/sys/kernel/yama/ptrace_scope: Read-only file system

回答1:


AppArmor can be disabled either by running unconfined, or as a privileged container:

  • --security-opt apparmor=unconfined (or apparmor:unconfined for docker 1.10 and below)
  • --privileged

However, a better option is to create a new profile that enables ptrace. You can use the docker AppArmor profile as a starting point (found in /etc/apparmor.d/docker), and append the ptrace peer=@{profile_name}.

You will also need to disable seccomp (unless using privileged), through --security-opt seccomp=unconfined



来源:https://stackoverflow.com/questions/37072468/disable-apparmor-for-docker-for-ptrace-scope

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!