search

OpenVoiceOS / ovos-docker

Open Voice OS container images and docker-compose.yml files for x86_64 and aarch64 CPU architectures.
https://openvoiceos.github.io/ovos-docker/
Apache License 2.0
39 stars 11 forks source link

Docker and AppArmor documentation #14

Closed goldyfruit closed 1 year ago

goldyfruit commented 1 year ago

Add information about Docker and AppArmor, potential missing packages and issues.

j1nx commented 1 year ago

I might chime in on this one as soon as I figured out my own runc/docker/containerd/apparmor issues.

goldyfruit commented 1 year ago

@j1nx, since your are using these images with buildroot, have you been able to dig a bit more on AppArmor?

j1nx commented 1 year ago

Not yet back on the apparmor fight, however should be soon / somewhere is week.

j1nx commented 1 year ago

Quick update.

Finally am able to run the containers using podman rootless installation. Currently both SElinux and AppArmor are not yet enabled. Have some other things to tweak/create/fix to get everything running within the architecture that I have in mind. After that when everything works as expected, I will revisit the podman install and enable AppArmor.

goldyfruit commented 1 year ago

Did some research on AppArmor and Docker and basically there is almost nothing to do from a container perspective.

The main requirement is to enable AppArmor in the kernel by adding apparmor=1 security=apparmor to the kernel command line.

Once rebooted, Docker will automatically load the docker-default profile.

$ docker system info -f json | jq .SecurityOptions -r
[
  "name=apparmor",
  "name=seccomp,profile=builtin",
  "name=cgroupns"
]

Running aa-status will confirmed that containers are running in enforce mode.

goldyfruit@rpi3b:~ $ sudo aa-status
apparmor module is loaded.
32 profiles are loaded.
11 profiles are in enforce mode.
...
   docker-default
...
20 processes are in enforce mode.
   /usr/bin/bash (1286) docker-default
   /usr/bin/sleep (1294) docker-default
   /usr/bin/python3.11 (1295) docker-default
   /usr/bin/python3.11 (1297) docker-default
   /usr/bin/python3.11 (1370) docker-default
   /usr/bin/bash (1415) docker-default
   /usr/bin/python3.11 (1416) docker-default
   /usr/bin/bash (1457) docker-default
   /usr/bin/python3.11 (1502) docker-default
   /usr/bin/python3.11 (1530) docker-default
   /usr/bin/bash (1612) docker-default
   /usr/bin/python3.11 (1622) docker-default
   /usr/bin/python3.11 (1698) docker-default
   /bin/node_exporter (1736) docker-default
   /usr/bin/python3.11 (1887) docker-default
   /usr/bin/python3.11 (1909) docker-default
   /usr/bin/python3.11 (1925) docker-default
   /usr/bin/python3.11 (1931) docker-default
   /usr/bin/python3.11 (2329) docker-default
   /usr/bin/python3.11 (2346) docker-default
...

Up to us to add an ovos profile for AppArmor if required but for now I don't think it's.

Feel free to re-open it.

j1nx commented 1 year ago

That looks about where I left off indeed.

docker might bring some additional security however I agree with you that it has nothing to do with the ovos-docker containers itself.