4

Question: Where does docker store it's default seccomp profile ?

It seems like this isn't documented anywhere(at least i couldn't find it) . What i could find was the contents of the file on github: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json .

Context:

I currently have two docker hosts and one container which i want to run. The container worked on one host but did not work on the other. After some debugging and searching online i found out how to make the docker run on the other host as well this can be achieved by adding --security-opt seccomp:unconfined

This solved the issue i had. Now i want to know the exact difference between the docker seccomp profiles and therefore i would like to know where the seccomp profile of docker is stored.

OS: Ubuntu Server 16.04

Working Docker Host: Docker version 1.12.3, build 6b644ec

Failing Docker Host: Docker version 17.05.0-ce, build 89658be

Mino_e
  • 393
  • 3
  • 16

1 Answers1

0

I've tracked down similar issues by using strace. Make sure strace is installed in the image or install it temporary in a running container. When running the container make sure to start with --cap-add=SYS_PTRACE to allow syscall tracing. Also you might want to run strace with -f to follow forked processes.

Do the host run different versions of docker?

Mattias Wadman
  • 11,172
  • 2
  • 42
  • 57
  • Hi, thanks for the answer yes they are running two different version, I added them in the original question. Regarding using strace this a possibility and i will use it if there is no easy way to look at the profile. But I want to see all the differences so i can make sure i won't have additional problems in the future with different containers. OTH just updating both hosts to a newer docker might be the faster and better option. – Mino_e Aug 16 '18 at 08:05