compose-spec
compose-spec copied to clipboard
compose-spec
Support inline security profiles
What is the problem you're trying to solve
When running a container which requires a custom (seccomp) security profile this needs to be stored in a separate file. It would be nice if this can be stored as part of the docker-compose.yml like all other container runtime configuration.
Describe the solution you'd like The profile probably should be in a shared section so it can be reused, similar to volumes:
...
security_opt:
- "seccomp=custom"
seccomp_profiles:
custom: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"name": "accept",
"action": "SCMP_ACT_ALLOW",
"args": null
},
...
}
Maybe we can make this much more generic, and basically add a generic "config file storage":
...
security_opt:
- "seccomp=my-seccomp-profile.json"
files:
name: my-seccomp-profile.json
content: |
{
"defaultAction": "SCMP_ACT_ERRNO",
Additional context
I think this would also allow to use seccomp profiles when accessing Docker remotly: https://github.com/docker/compose/issues/2813
I am in favour of a general generic section. Although I would make it accessable via key rather than filename. That is what happens a lot in the puppet or config management world:
Sample:
...
security_opt:
- "seccomp=my-seccomp-profile"
files:
my-seccomp-profile: |
{
"defaultAction": "SCMP_ACT_ERRNO",
"syscalls": [
{
"name": "accept",
"action": "SCMP_ACT_ALLOW",
"args": null
},
...
}
I would opt to delegate this to a remote service like Open Policy Agent
