Here's the version I have installed and 'docker info':
ubuntu@ubuntu-yakkety:~$ dpkg -s docker.io
Package: docker.io
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 77442
Maintainer: Ubuntu Developers <email address hidden>
Architecture: amd64
Version: 1.12.1-0ubuntu15
Replaces: docker (<< 1.5~)
Depends: adduser, containerd (>= 0.2.3~), iptables, runc (>= 1.0.0~rc1~), init-system-helpers (>= 1.18~), libapparmor1 (>= 2.6~devel), libc6 (>= 2.14), libdevmapper1.02.1 (>= 2:1.02.97)
Recommends: ca-certificates, cgroupfs-mount | cgroup-lite, git, ubuntu-fan, xz-utils, apparmor
Suggests: aufs-tools, btrfs-tools, debootstrap, docker-doc, rinse, zfs-fuse | zfsutils
Breaks: docker (<< 1.5~)
Conffiles:
/etc/default/docker 4ed438ab743c3abef1a1006fa57b05cd
/etc/init.d/docker 73e254995b37e21ac3b63825a3b28704
/etc/init/docker.conf 8ce66c020d5e129a177a87e0c504439c
Description: Linux container runtime
Docker complements kernel namespacing with a high-level API which operates at
the process level. It runs unix processes with strong guarantees of isolation
and repeatability across servers.
.
Docker is a great building block for automating distributed systems:
large-scale web deployments, database clusters, continuous deployment systems,
private PaaS, service-oriented architectures, etc.
.
This package contains the daemon and client. Using docker.io on non-amd64 hosts
is not supported at this time. Please be careful when using it on anything
besides amd64.
.
Also, note that kernel version 3.8 or above is required for proper operation of
the daemon process, and that any lower versions may have subtle and/or glaring
issues.
Built-Using: glibc (= 2.24-3ubuntu1), golang-1.6 (= 1.6.3-1ubuntu1)
Homepage: https://dockerproject.org
Original-Maintainer: Paul Tagliamonte <email address hidden>
ubuntu@ubuntu-yakkety:~$ docker info
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
ubuntu@ubuntu-yakkety:~$ sudo docker info
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 1.12.1
Storage Driver: overlay
Backing Filesystem: extfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: host bridge overlay null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 4.8.0-26-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 991.7 MiB
Name: ubuntu-yakkety
ID: G6JA:MD2U:CD45:5DC3:DFZ3:GUNY:IDH7:HYP5:C4J5:TOSZ:ZFE4:ZK6K
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
Here's what happens if I try to specify a seccomp profile:
ubuntu@ubuntu-yakkety:~$ curl -L -O https://raw.githubusercontent.com/docker/docker/master/profiles/seccomp/default.json
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed
100 10755 100 10755 0 0 5517 0 0:00:01 0:00:01 --:--:-- 5515
(failed reverse-i-search)`sudo docker run b': ^Cdo docker info
ubuntu@ubuntu-yakkety:~$ sudo docker run -it --security-opt seccomp=default.json ubuntu -i /bin/bash
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
6bbedd9b76a4: Pull complete
fc19d60a83f1: Pull complete
de413bb911fd: Pull complete
2879a7ad3144: Pull complete
668604fde02e: Pull complete
Digest: sha256:2d44ae143feeb36f4c898d32ed2ab2dffeb3a573d2d8928646dfc9cb7deb1315
Status: Downloaded newer image for ubuntu:latest
docker: Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.
ubuntu@ubuntu-yakkety:~$
PR_SET_SECCOMP (since Linux 2.6.23)
Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The more recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP.
The seccomp mode is selected via arg2. (The seccomp constants are defined in <linux/seccomp.h>.)
With arg2 set to SECCOMP_MODE_STRICT, the only system calls that the thread is permitted to make are read(2), write(2), _exit(2) (but not exit_group(2)), and sigreturn(2). Other system calls result in the delivery of a SIGKILL signal. Strict secure computing mode is useful for number-crunching applications that may need to exe‐
cute untrusted byte code, perhaps obtained by reading from a pipe or socket. This operation is available only
if the kernel is configured with CONFIG_SECCOMP enabled.
With arg2 set to SECCOMP_MODE_FILTER (since Linux 3.5), the system calls allowed are defined by a pointer to a Berkeley Packet Filter passed in arg3. This argument is a pointer to struct sock_fprog; it can be designed to filter arbitrary system calls and system call arguments. This mode is available only if the kernel is config‐
ured with CONFIG_SECCOMP_FILTER enabled.
If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode is inherited by children created by fork(2); if execve(2) is permitted, then the seccomp mode is preserved across execve(2). If the filters permit prctl() calls, then additional filters can be added; they are run in order until the first non-allow result is
seen.
For further information, see the kernel source file Documentation/prctl/seccomp_filter.txt.
Here's the version I have installed and 'docker info':
ubuntu@ ubuntu- yakkety: ~$ dpkg -s docker.io default/ docker 4ed438ab743c3ab ef1a1006fa57b05 cd init.d/ docker 73e254995b37e21 ac3b63825a3b287 04 init/docker. conf 8ce66c020d5e129 a177a87e0c50443 9c /dockerproject. org Maintainer: Paul Tagliamonte <email address hidden> ubuntu- yakkety: ~$ docker info ubuntu- yakkety: ~$ sudo docker info CD45:5DC3: DFZ3:GUNY: IDH7:HYP5: C4J5:TOSZ: ZFE4:ZK6K /index. docker. io/v1/
Package: docker.io
Status: install ok installed
Priority: optional
Section: admin
Installed-Size: 77442
Maintainer: Ubuntu Developers <email address hidden>
Architecture: amd64
Version: 1.12.1-0ubuntu15
Replaces: docker (<< 1.5~)
Depends: adduser, containerd (>= 0.2.3~), iptables, runc (>= 1.0.0~rc1~), init-system-helpers (>= 1.18~), libapparmor1 (>= 2.6~devel), libc6 (>= 2.14), libdevmapper1.02.1 (>= 2:1.02.97)
Recommends: ca-certificates, cgroupfs-mount | cgroup-lite, git, ubuntu-fan, xz-utils, apparmor
Suggests: aufs-tools, btrfs-tools, debootstrap, docker-doc, rinse, zfs-fuse | zfsutils
Breaks: docker (<< 1.5~)
Conffiles:
/etc/
/etc/
/etc/
Description: Linux container runtime
Docker complements kernel namespacing with a high-level API which operates at
the process level. It runs unix processes with strong guarantees of isolation
and repeatability across servers.
.
Docker is a great building block for automating distributed systems:
large-scale web deployments, database clusters, continuous deployment systems,
private PaaS, service-oriented architectures, etc.
.
This package contains the daemon and client. Using docker.io on non-amd64 hosts
is not supported at this time. Please be careful when using it on anything
besides amd64.
.
Also, note that kernel version 3.8 or above is required for proper operation of
the daemon process, and that any lower versions may have subtle and/or glaring
issues.
Built-Using: glibc (= 2.24-3ubuntu1), golang-1.6 (= 1.6.3-1ubuntu1)
Homepage: https:/
Original-
ubuntu@
Cannot connect to the Docker daemon. Is the docker daemon running on this host?
ubuntu@
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 1.12.1
Storage Driver: overlay
Backing Filesystem: extfs
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
Volume: local
Network: host bridge overlay null
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Security Options: apparmor
Kernel Version: 4.8.0-26-generic
Operating System: Ubuntu 16.10
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 991.7 MiB
Name: ubuntu-yakkety
ID: G6JA:MD2U:
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https:/
WARNING: No swap limit support
Insecure Registries:
127.0.0.0/8
Here's what happens if I try to specify a seccomp profile:
ubuntu@ ubuntu- yakkety: ~$ curl -L -O https:/ /raw.githubuser content. com/docker/ docker/ master/ profiles/ seccomp/ default. json
Dload Upload Total Spent Left Speed i-search) `sudo docker run b': ^Cdo docker info ubuntu- yakkety: ~$ sudo docker run -it --security-opt seccomp= default. json ubuntu -i /bin/bash 2d44ae143feeb36 f4c898d32ed2ab2 dffeb3a573d2d89 28646dfc9cb7deb 1315 ubuntu- yakkety: ~$
% Total % Received % Xferd Average Speed Time Time Time Current
100 10755 100 10755 0 0 5517 0 0:00:01 0:00:01 --:--:-- 5515
(failed reverse-
ubuntu@
Unable to find image 'ubuntu:latest' locally
latest: Pulling from library/ubuntu
6bbedd9b76a4: Pull complete
fc19d60a83f1: Pull complete
de413bb911fd: Pull complete
2879a7ad3144: Pull complete
668604fde02e: Pull complete
Digest: sha256:
Status: Downloaded newer image for ubuntu:latest
docker: Error response from daemon: linux seccomp: seccomp profiles are not supported on this daemon, you cannot specify a custom seccomp profile.
ubuntu@
You can find documentation about /proc/self/status here: /www.kernel. org/doc/ Documentation/ filesystems/ proc.txt
https:/
The relevant part is:
Seccomp seccomp mode, like prctl(PR_ GET_SECCOMP, ...)
'man 2 prctl' (http:// man7.org/ linux/man- pages/man2/ prctl.2. html) says
Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The more
The seccomp mode is selected via arg2. (The seccomp constants are defined in <linux/seccomp.h>.)
With arg2 set to SECCOMP_ MODE_STRICT, the only system calls that the thread is permitted to make are read(2),
write(2) , _exit(2) (but not exit_group(2)), and sigreturn(2). Other system calls result in the delivery of a
SIGKILL signal. Strict secure computing mode is useful for number-crunching applications that may need to exe‐
cute untrusted byte code, perhaps obtained by reading from a pipe or socket. This operation is available only
if the kernel is configured with CONFIG_SECCOMP enabled.
With arg2 set to SECCOMP_MODE_FILTER (since Linux 3.5), the system calls allowed are defined by a pointer to a
Berkeley Packet Filter passed in arg3. This argument is a pointer to struct sock_fprog; it can be designed to
filter arbitrary system calls and system call arguments. This mode is available only if the kernel is config‐ SECCOMP_ FILTER enabled.
ured with CONFIG_
If SECCOMP_MODE_FILTER filters permit fork(2), then the seccomp mode is inherited by children created by
fork(2) ; if execve(2) is permitted, then the seccomp mode is preserved across execve(2). If the filters permit
prctl() calls, then additional filters can be added; they are run in order until the first non-allow result is
seen.
For further information, see the kernel source file Documentation/ prctl/seccomp_ filter. txt.