Which Php-FPM is more secure? Rootless Docker Vs. AppArmor

Here, I go again… asking about security… :face_with_monocle:

I have a dilemma and someone with a bit more experience might be able to smack me straight.

If I run my apps the traditional way (without containerizing them) I can run AppArmor to help protect my services like php-fpm and I don’t have to give virtual server users sudo privileges.

However, if I run Docker-Rootless, according to documentation the “rootless” version of docker doesn’t support AppArmor, SELinux, etc. and I have to add the virtual server user to the “docker” group, which itself has root privileges.

Overall, docker containers are suppose to be super secure… and docker / podman /devops is clearly the future of everything. I’d rather install all of my apps using docker containers as to eliminate the headache of test / prod functional problems of applications…

However, I am worried that without AppArmor & adding virtual servers users to the docker group, that I would be foolishly trading security for convenience.

How safe is it to run docker-rootless on production servers?

Or am I misunderstanding something… and I can still run AppArmor in conjunction with docker-rootless?


The following thread on GitHub may be of interest to you, and perhaps you can share your experiences there as they seem to be covering your issue regarding “Rootless-Docker” and “AppArmor”.

Thanks for the lead… I will check it out. While I am here, I want to accept a little egg on my face and correct an earlier statement.

The above is incorrect. If anyone is interested you can install the docker-rootless daemon as a non-sudo user and install docker-compose -without- adding the non-sudo user to a docker group. The installation is a little tricky because apparently no one in the world runs rootless docker on ubuntu except me… :hushed:

If anyone is interested, I tinkered 'til I got it…

First install the docker-rootless daemon according to documentation, very easy.

Then install docker compose

mkdir -p ~/.docker/cli-plugins/
curl -SL https://github.com/docker/compose/releases/download/v2.2.3/docker-compose-linux-x86_64 -o ~/.docker/cli-plugins/docker-compose
chmod +x ~/.docker/cli-plugins/docker-compose

And verify successful installation with:

$ docker compose version
Docker Compose version v2.2.3

whatever you do… DO NOT USE $ docker-compose up -d you will get errors. You should use docker compose up -d if you are running version 2 or greater

Also, be sure to add this to your non-sudo user’s .bashrc

export PATH=/usr/bin:$PATH
export DOCKER_HOST=unix:///run/user/xxx/docker.sock