Open ChinnoDog opened 1 year ago
@{HOME}/.ssh/** r,
seems dangerous, as it gives docker binary access to the private ssh key. It would be best if docker would only be allowed to talk to an existing gpg-agent running as the user, without having direct access to private keys that could be in .ssh. With ssh-agent being separately confined. Reading .pub files in .ssh is fine however.
I don't know if there is an existing interface to access ssh client, or if this could be added to docker-support interface itself. This should probably be filed as a request against snapd itself.
I'm trying to run Docker on a remote host over ssh using built-in functionality as explained by this post but I get an error instead.
There is a corresponding event for this.
I updated
/var/lib/snapd/apparmor/profiles/snap.docker.docker
with entries for this error and the subsequent ones that occured with the lines below. This is my first time updating an apparmor profile so it might not follow best practices.I then ran
apparmor_parser -r /var/lib/snapd/apparmor/profiles/snap.docker.docker
to apply it. It seems to work now.