0
0
DockerHow-ToBeginner · 4 min read

How to Use Seccomp in Docker for Container Security

Use --security-opt seccomp= flag with docker run to apply a seccomp profile that limits system calls inside containers. You can specify Docker's default profile, a custom JSON profile, or disable seccomp by setting it to unconfined.
📐

Syntax

The basic syntax to use seccomp in Docker is:

  • docker run --security-opt seccomp=PATH_TO_PROFILE.json IMAGE: Runs a container with a custom seccomp profile.
  • docker run --security-opt seccomp=unconfined IMAGE: Runs a container without seccomp restrictions.
  • docker run IMAGE: Runs a container with Docker's default seccomp profile.

The --security-opt seccomp= option controls the seccomp profile applied to the container.

bash
docker run --security-opt seccomp=PATH_TO_PROFILE.json IMAGE

docker run --security-opt seccomp=unconfined IMAGE

docker run IMAGE
💻

Example

This example runs an Alpine Linux container with a custom seccomp profile that blocks the mkdir system call, preventing directory creation inside the container.

json/bash
{
  "defaultAction": "SCMP_ACT_ALLOW",
  "syscalls": [
    {
      "names": ["mkdir"],
      "action": "SCMP_ACT_ERRNO"
    }
  ]
}

# Save this as block-mkdir.json

# Run container with this profile

docker run --rm -it --security-opt seccomp=block-mkdir.json alpine sh

# Inside container, try to create a directory
mkdir testdir

# You will get an error: mkdir: Operation not permitted
Output
mkdir: Operation not permitted
⚠️

Common Pitfalls

  • Using invalid JSON profiles: Seccomp profiles must be valid JSON; syntax errors cause Docker to reject the profile.
  • Blocking essential syscalls: Blocking system calls needed by the container can cause it to fail or behave unexpectedly.
  • Forgetting to specify the profile: If you want to disable seccomp, you must explicitly set seccomp=unconfined; otherwise, Docker applies the default profile.
  • Not testing profiles: Always test custom profiles in a safe environment before production.
bash
docker run --security-opt seccomp=invalid.json alpine
# Error: invalid seccomp profile

# Correct usage
# docker run --security-opt seccomp=valid-profile.json alpine
Output
docker: Error response from daemon: invalid seccomp profile: invalid.json.
📊

Quick Reference

OptionDescriptionExample
--security-opt seccomp=PATHUse custom seccomp profile JSON filedocker run --security-opt seccomp=profile.json alpine
--security-opt seccomp=unconfinedDisable seccomp filteringdocker run --security-opt seccomp=unconfined alpine
No optionUse Docker's default seccomp profiledocker run alpine

Key Takeaways

Use --security-opt seccomp=PATH to apply a custom seccomp profile in Docker containers.
Docker applies a default seccomp profile if none is specified, enhancing container security.
Set --security-opt seccomp=unconfined to disable seccomp filtering when needed.
Always validate and test seccomp JSON profiles to avoid container failures.
Blocking critical system calls can break container functionality; customize profiles carefully.

Related by keyword

Docker exec vs docker attach: Key Differences and UsageContainersDocker run vs docker create: Key Differences and UsageContainersHow to Create a Container in Docker: Simple StepsContainersHow to Export a Container in Docker: Simple GuideContainersHow to Import a Container in Docker: Simple StepsContainers

Up next

How to Use Docker in Jenkins: Simple Guide for BeginnersHow to Use Docker Layer Caching in CI for Faster BuildsDocker prune vs system prune: Key Differences and UsageHow to Check Container Health in Docker: Commands & Examples

More in Security

Docker Security Best Practices: How to Secure Your ContainersHow to Avoid Running as Root in Docker ContainersHow to Limit Container Resources in Docker: Memory & CPU LimitsHow to Scan Docker Image for Vulnerabilities Quickly