Merge pull request #46852 from thaJeztah/fix_systemdind_apparmor
hack/dind-systemd: make AppArmor work with systemd enabled
This commit is contained in:
Sebastiaan van Stijn
GitHub
commit
f6533a1df1
2 changed files with 69 additions and 0 deletions
31
hack/dind
31
hack/dind
|
|
@ -11,8 +11,39 @@ set -e
|
|||
# Usage: dind CMD [ARG...]
|
||||
|
||||
# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
|
||||
#
|
||||
# Set the container env-var, so that AppArmor is enabled in the daemon and
|
||||
# containerd when running docker-in-docker.
|
||||
#
|
||||
# see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
|
||||
# see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
|
||||
export container=docker
|
||||
|
||||
# Allow AppArmor to work inside the container;
|
||||
#
|
||||
# aa-status
|
||||
# apparmor filesystem is not mounted.
|
||||
# apparmor module is loaded.
|
||||
#
|
||||
# mount -t securityfs none /sys/kernel/security
|
||||
#
|
||||
# aa-status
|
||||
# apparmor module is loaded.
|
||||
# 30 profiles are loaded.
|
||||
# 30 profiles are in enforce mode.
|
||||
# /snap/snapd/18357/usr/lib/snapd/snap-confine
|
||||
# ...
|
||||
#
|
||||
# Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
|
||||
#
|
||||
# ## /sys/kernel/security
|
||||
#
|
||||
# In /sys/kernel/security mounted the securityfs interface, which allows
|
||||
# configuration of Linux Security Modules. This allows configuration of
|
||||
# AppArmor policies, and so access to this may allow a container to disable
|
||||
# its MAC system.
|
||||
#
|
||||
# Given that we're running privileged already, this should not be an issue.
|
||||
if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
|
||||
mount -t securityfs none /sys/kernel/security || {
|
||||
echo >&2 'Could not mount /sys/kernel/security.'
|
||||
|
|
|
|||
|
|
@ -1,5 +1,11 @@
|
|||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# Set the container env-var, so that AppArmor is enabled in the daemon and
|
||||
# containerd when running docker-in-docker.
|
||||
#
|
||||
# see: https://github.com/containerd/containerd/blob/787943dc1027a67f3b52631e084db0d4a6be2ccc/pkg/apparmor/apparmor_linux.go#L29-L45
|
||||
# see: https://github.com/moby/moby/commit/de191e86321f7d3136ff42ff75826b8107399497
|
||||
container=docker
|
||||
export container
|
||||
|
||||
|
|
@ -18,6 +24,38 @@ fi
|
|||
# running in a container.
|
||||
mount --make-rshared /
|
||||
|
||||
# Allow AppArmor to work inside the container;
|
||||
#
|
||||
# aa-status
|
||||
# apparmor filesystem is not mounted.
|
||||
# apparmor module is loaded.
|
||||
#
|
||||
# mount -t securityfs none /sys/kernel/security
|
||||
#
|
||||
# aa-status
|
||||
# apparmor module is loaded.
|
||||
# 30 profiles are loaded.
|
||||
# 30 profiles are in enforce mode.
|
||||
# /snap/snapd/18357/usr/lib/snapd/snap-confine
|
||||
# ...
|
||||
#
|
||||
# Note: https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts#sys-kernel-security
|
||||
#
|
||||
# ## /sys/kernel/security
|
||||
#
|
||||
# In /sys/kernel/security mounted the securityfs interface, which allows
|
||||
# configuration of Linux Security Modules. This allows configuration of
|
||||
# AppArmor policies, and so access to this may allow a container to disable
|
||||
# its MAC system.
|
||||
#
|
||||
# Given that we're running privileged already, this should not be an issue.
|
||||
if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
|
||||
mount -t securityfs none /sys/kernel/security || {
|
||||
echo >&2 'Could not mount /sys/kernel/security.'
|
||||
echo >&2 'AppArmor detection and --privileged mode might break.'
|
||||
}
|
||||
fi
|
||||
|
||||
env > /etc/docker-entrypoint-env
|
||||
|
||||
cat > /etc/systemd/system/docker-entrypoint.target << EOF
|
||||
|
|
|
|||
Loading…
Reference in a new issue