Cannot reload or start AppArmor in Docker

Here is my Dockerfile:

FROM ubuntu:14.04

RUN apt-get update

RUN apt-get install -y software-properties-common
RUN apt-get install -y python-software-properties

RUN add-apt-repository ppa:chris-lea/node.js
RUN apt-get update
RUN apt-get install -y nodejs

RUN apt-get install -y apparmor-profiles
RUN apt-get install -y apparmor-utils

ADD server.js /folder1/
ADD usr.bin.nodejs /etc/apparmor.d/

RUN service apparmor reload

CMD node /folder1/server.js

Here is usr.bin.nodejs:

  • unable to edit /etc/resolv.conf in docker container
  • Conventional way to resolve docker derived image build time vs. image size tradeoff
  • How to set Zookeeper dataDir in Docker (fig.yml)
  • Increasing mysql max_connections to 1024 in a docker container
  • Jboss As 7.1 docker How to change default to run with standalone-full-ha(Windows)
  • dependency error while installing docker 1.12 in rhel 7
  • #include <tunables/global>
    
    /usr/bin/nodejs {
      #include <abstractions/base>
    
      /usr/bin/nodejs mr,
      /folder1/server.js r,
      /folder1/repo/** ralkmix,
      network,
    
    }
    

    I run sudo docker build -t scadge/test-one . to build this image. On Step 7 : RUN apt-get install -y apparmor-profiles I get red messages invoke-rc.d: policy-rc.d denied execution of start and invoke-rc.d: policy-rc.d denied execution of reload. Also on Step 11 : RUN service apparmor reload I get the following:

     * Reloading AppArmor profiles
     * Mounting securityfs on /sys/kernel/security...
    mount: permission denied
        ...fail!
        ...fail!
    

    ..and sure thing apparmor profiles are not working. So how do I make AppArmor work in Docker? I would also like to admit that all this stuff works fine on my desktop Ubuntu 14.04, downloaded from official site.

  • Remote API for application code updating
  • Is it safe to extract the root filesystem of a Docker.io image and use it in a chroot?
  • Dockerfile ONBUILD instruction
  • Applying custom SELinux policies on kubernetes pods/containers
  • Why did host network.service restart sever communications with all containers?
  • Copy files from within a docker container to local machine
  • One Solution collect form web for “Cannot reload or start AppArmor in Docker”

    First a disclaimer. You don’t want to do this!

    Because reloading AppArmor profiles in the container reloads them in the host!

    This is because the Docker container shares the running Linux kernel with the host.

    The container itself is already confined using the /etc/apparmor.d/docker profile, BTW.


    Now, if you really sure you want to load the host AppArmor profiles from the container…

    The problem is kind of obvious, AppArmor can’t mount the securityfs.

    You can enable the mount by using the --privileged option.

    You can also enable it with the SYS_ADMIN capability:

    docker run --cap-add=SYS_ADMIN debian:jessie sh -c 'mount -t securityfs none /mnt && echo Done!'
    

    If you use the SYS_ADMIN option then you’d have to edit the /etc/apparmor.d/docker profile on the host and comment out all the deny lines involving the /sys/kernel branch.

    Again, this is most probably not something you want to do.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.