Comments (6)
j1nx
commented on June 17, 2024
1
I might chime in on this one as soon as I figured out my own runc/docker/containerd/apparmor issues.
from ovos-docker.
j1nx
commented on June 17, 2024
1
Not yet back on the apparmor fight, however should be soon / somewhere is week.
from ovos-docker.
j1nx
commented on June 17, 2024
1
Quick update.
Finally am able to run the containers using podman rootless installation. Currently both SElinux and AppArmor are not yet enabled. Have some other things to tweak/create/fix to get everything running within the architecture that I have in mind. After that when everything works as expected, I will revisit the podman install and enable AppArmor.
from ovos-docker.
goldyfruit
commented on June 17, 2024
@j1nx, since your are using these images with buildroot, have you been able to dig a bit more on AppArmor?
from ovos-docker.
goldyfruit
commented on June 17, 2024
Did some research on AppArmor and Docker and basically there is almost nothing to do from a container perspective.
The main requirement is to enable AppArmor in the kernel by adding apparmor=1 security=apparmor to the kernel command line.
Once rebooted, Docker will automatically load the docker-default profile.
$ docker system info -f json | jq .SecurityOptions -r
[
"name=apparmor",
"name=seccomp,profile=builtin",
"name=cgroupns"
]
Running aa-status will confirmed that containers are running in enforce mode.
goldyfruit@rpi3b:~ $ sudo aa-status
apparmor module is loaded.
32 profiles are loaded.
11 profiles are in enforce mode.
...
docker-default
...
20 processes are in enforce mode.
/usr/bin/bash (1286) docker-default
/usr/bin/sleep (1294) docker-default
/usr/bin/python3.11 (1295) docker-default
/usr/bin/python3.11 (1297) docker-default
/usr/bin/python3.11 (1370) docker-default
/usr/bin/bash (1415) docker-default
/usr/bin/python3.11 (1416) docker-default
/usr/bin/bash (1457) docker-default
/usr/bin/python3.11 (1502) docker-default
/usr/bin/python3.11 (1530) docker-default
/usr/bin/bash (1612) docker-default
/usr/bin/python3.11 (1622) docker-default
/usr/bin/python3.11 (1698) docker-default
/bin/node_exporter (1736) docker-default
/usr/bin/python3.11 (1887) docker-default
/usr/bin/python3.11 (1909) docker-default
/usr/bin/python3.11 (1925) docker-default
/usr/bin/python3.11 (1931) docker-default
/usr/bin/python3.11 (2329) docker-default
/usr/bin/python3.11 (2346) docker-default
...
Up to us to add an ovos profile for AppArmor if required but for now I don't think it's.
Feel free to re-open it.
from ovos-docker.
j1nx
commented on June 17, 2024
That looks about where I left off indeed.
docker might bring some additional security however I agree with you that it has nothing to do with the ovos-docker containers itself.
from ovos-docker.
Related Issues (20)
- Permission denied: '/tmp/mycroft/bus.pid' HOT 8
- ERRO[0001] json-file logging specified but not supported. Choosing k8s-file logging instead
- What about binding the containers on 127.0.0.1??
- Add information about log and stdout
- Manifest Unknown Error HOT 1
- mount log folder for ease of log management HOT 4
- Problem with upgrade under OSX arm64 HOT 1
- Default date_time skill version 0.2.2 does not work correclty in Italian HOT 1
- how to locally host mimic3 or piper? HOT 3
- g2p is not installed HOT 10
- Installing skill_ovos_fallback_chatgpt fails HOT 3
- Wayland and GUI HOT 3
- ovos_audio ignoring mycroft.conf HOT 14
- sdnotify (READY) support HOT 18
- cannot play start_listening HOT 8
- ovos-gui-plugin-shell-companion missing in gui_websocket container? HOT 1
- No module named 'mycroft_bus_client' within ovos_core logs HOT 3
- Listens, but doesn't answer HOT 18
- cannot set multiple networks without bridge network mode HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ovos-docker.