Skip to content

Latest commit

 

History

History
48 lines (37 loc) · 1.59 KB

apparmor.md

File metadata and controls

48 lines (37 loc) · 1.59 KB
Raw

AppArmor

If your Docker host has AppArmor activated, you'll need to perform additional steps to allow the container to start an NFS server.

  1. Ensure you have the apparmor-utils installed package installed on the Docker host. e.g. for Debian or Ubuntu:

    $ sudo apt-get install apparmor-utils

  2. Create a file on the Docker host with the following contents:

    #include <tunables/global>
profile erichough-nfs flags=(attach_disconnected,mediate_deleted) {
  #include <abstractions/lxc/container-base>
  mount fstype=nfs*,
  mount fstype=rpc_pipefs,
}

  3. Load this profile into the kernel with apparmor_parser:

    $ sudo apparmor_parser -r -W /path/to/file/from/previous/step

  4. Add --security-opt apparmor=erichough-nfs to your docker run command. e.g.

    docker run                                \
  -v /path/to/share:/nfs                  \
  -v /path/to/exports.txt:/etc/exports:ro \
  --cap-add SYS_ADMIN                     \
  -p 2049:2049                            \
  --security-opt apparmor=erichough-nfs   \
  erichough/nfs-server

    or in docker-compose.yml:

    version: 3
services:
  nfs:
    image: erichough/nfs-server
    volumes:
      - /path/to/share:/nfs
      - /path/to/exports.txt:/etc/exports:ro
    cap_add:
      - SYS_ADMIN
    ports:
      - 2049:2049
    security_opt:
      - apparmor=erichough-nfs