I have a dilemma and someone with a bit more experience might be able to smack me straight.
If I run my apps the traditional way (without containerizing them) I can run AppArmor to help protect my services like php-fpm and I don’t have to give virtual server users sudo privileges.
However, if I run Docker-Rootless, according to documentation the “rootless” version of docker doesn’t support AppArmor, SELinux, etc. and I have to add the virtual server user to the “docker” group, which itself has root privileges.
Overall, docker containers are suppose to be super secure… and docker / podman /devops is clearly the future of everything. I’d rather install all of my apps using docker containers as to eliminate the headache of test / prod functional problems of applications…
However, I am worried that without AppArmor & adding virtual servers users to the docker group, that I would be foolishly trading security for convenience.
How safe is it to run docker-rootless on production servers?
Or am I misunderstanding something… and I can still run AppArmor in conjunction with docker-rootless?
The following thread on GitHub may be of interest to you, and perhaps you can share your experiences there as they seem to be covering your issue regarding “Rootless-Docker” and “AppArmor”.
@tpnsolutions
Thanks for the lead… I will check it out. While I am here, I want to accept a little egg on my face and correct an earlier statement.
The above is incorrect. If anyone is interested you can install the docker-rootless daemon as a non-sudo user and install docker-compose -without- adding the non-sudo user to a docker group. The installation is a little tricky because apparently no one in the world runs rootless docker on ubuntu except me…
If anyone is interested, I tinkered 'til I got it…
First install the docker-rootless daemon according to documentation, very easy.