0
0
DockerHow-ToBeginner · 3 min read

How to Use AppArmor with Docker for Container Security

To use AppArmor with Docker, specify an AppArmor profile when running a container using the --security-opt apparmor=PROFILE_NAME option. Docker applies the profile to restrict container actions, improving security.
📐

Syntax

The basic syntax to run a Docker container with an AppArmor profile is:

  • docker run --security-opt apparmor=PROFILE_NAME IMAGE COMMAND

Here:

  • --security-opt apparmor=PROFILE_NAME tells Docker to apply the specified AppArmor profile.
  • IMAGE is the Docker image you want to run.
  • COMMAND is the command to execute inside the container.
bash
docker run --security-opt apparmor=PROFILE_NAME IMAGE COMMAND
💻

Example

This example runs an Ubuntu container with the default Docker AppArmor profile named docker-default. It shows how to specify the profile and run a simple command.

bash
docker run --rm --security-opt apparmor=docker-default ubuntu echo "Hello from AppArmor-secured container"
Output
Hello from AppArmor-secured container
⚠️

Common Pitfalls

Common mistakes when using AppArmor with Docker include:

  • Using a profile name that does not exist on the host, causing Docker to fail to start the container.
  • Not having AppArmor enabled or supported on the host system, so profiles have no effect.
  • Assuming AppArmor profiles are applied automatically without specifying --security-opt.

Always verify the profile exists with sudo aa-status and that AppArmor is enabled on your Linux host.

bash
docker run --rm --security-opt apparmor=nonexistent-profile ubuntu echo "Test"
# This will fail with an error about the profile not found

# Correct usage:
docker run --rm --security-opt apparmor=docker-default ubuntu echo "Test"
📊

Quick Reference

OptionDescription
--security-opt apparmor=PROFILE_NAMEApply the specified AppArmor profile to the container
docker-defaultDefault AppArmor profile provided by Docker
sudo aa-statusCheck loaded AppArmor profiles on the host
AppArmor enabledEnsure AppArmor is active on the Linux host for profiles to work

Key Takeaways

Use --security-opt apparmor=PROFILE_NAME to apply AppArmor profiles to Docker containers.
Verify the AppArmor profile exists on the host with sudo aa-status before using it.
AppArmor must be enabled on the Linux host for Docker profiles to have effect.
The default Docker profile is docker-default and can be used for basic confinement.
Incorrect profile names cause container startup failures.

Related by keyword

Docker exec vs docker attach: Key Differences and UsageContainersDocker run vs docker create: Key Differences and UsageContainersHow to Create a Container in Docker: Simple StepsContainersHow to Export a Container in Docker: Simple GuideContainersHow to Import a Container in Docker: Simple StepsContainers

Up next

How to Use Docker in Jenkins: Simple Guide for BeginnersHow to Use Docker Layer Caching in CI for Faster BuildsDocker prune vs system prune: Key Differences and UsageHow to Check Container Health in Docker: Commands & Examples

More in Security

Docker Security Best Practices: How to Secure Your ContainersHow to Avoid Running as Root in Docker ContainersHow to Limit Container Resources in Docker: Memory & CPU LimitsHow to Scan Docker Image for Vulnerabilities Quickly