Passing --security-opt seccomp:filename.json to a container in Docker swarm

Question

I need to pass a custom seccomp profile file to a container running on a Docker swarm. It can be easily done and it works fine with a standalone container using --security-opt option. The problem arises when you try to pass it to a container that is running on a swarm. Docker compose file ver 3 documentation explicitly states that the --security-opt option is ignored for swarm deployments: https://docs.docker.com/compose/compose-file/#security_opt

How can I pass a custom seccomp profile to a container or a service when deployed on a swarm? Is there any other way of changing system restrictions on containers? cap_add and/or cap_drop are not an option. Any ideas? Thanks a million!

Answer 1

There is no option to do this right now in Swarm Mode. If you have containers that require these options, you'll need to run them outside of Swarm Mode.

To track the progress on adding this functionality:

• Moby/moby issue #25209 (upstream of docker-ce): https://github.com/moby/moby/issues/25209
• Swarmkit issue #1030: https://github.com/docker/swarmkit/issues/1030
• Libentitlement: https://github.com/moby/libentitlement

The goal is to have libentitlement give a simple way to adjust capabilities, seccomp, and other security features with a simplified user experience. Whether that happens first, or swarmkit implements something directly, depends on the people submitting the PRs.