Unable to launch docker container with custom seccomp profile

Question

Unable to initiate docker container with a custom seccomp profile using JSON. Getting below error.

sudo docker run --name=alpin1effcon1t -it 453135d09376 --security-opt seccomp:chrome.json
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: exec: "--security-opt": executable file not found in $PATH: unknown.
ERRO[0000] error waiting for container: context canceled

We have tried this on various docker platforms like Docker Desktop-WSL, Docker playgrounds and Amazon Linux based EC2. Same error.

Docker info on EC2

grep SECCOMP /boot/config-$(uname -r)
CONFIG_HAVE_ARCH_SECCOMP=y
CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y

Security Options:
  seccomp
   Profile: default
 Kernel Version: 5.10.75-79.358.amzn2.x86_64
 Operating System: Amazon Linux 2

score 2 · Accepted Answer · answered Jan 04 '22 at 08:33

The proper syntax for docker run is:

docker run [OPTIONS] IMAGE[:TAG|@DIGEST] [COMMAND] [ARG...]

This means that after the image name/id you specify the command with the arguments you want to execute after the container starts. In other words you override the CMD specified in the Dockerfile.

In your example, you are telling docker to execute --security-opt seccomp:chrome.json at container startup. And --security-opt seccomp:chrome.json is not a proper linux command (It is not found in the dirs in $PATH.

With that said, what you should do is swap the order of --security-opt and the image id. Because --security-opt is a docker run option.

sudo docker run --name=alpin1effcon1t -it --security-opt seccomp:chrome.json 453135d09376

Unable to launch docker container with custom seccomp profile

1 Answers1