Description
If we enable "no-new-privileges" : true in /etc/docker/daemon.json. Security Options are not getting updated even after docker restart. docker info is not showing whether no-new-privileges is enabled or not. Also if we try to inspect individual docker container SecurityOpt field is null.
Also, if i spawn a container using docker-run and pass --security-opt=no-new-privileges, then docker container SecurityOpts is getting update (non-null value)
docker info
...
Security Options:
apparmor
seccomp
Profile: default
...
docker inspect <container-id> | grep Security
Output:
"SecurityOpt": null,
Following is the content of daemon.json
{
"iptables": true,
"log-opts": {"max-size": "200m", "max-file": "1"},
"log-level": "info" ,
"live-restore": true,
"no-new-privileges": true
}```
### Reproduce
1. Add `"no-new-privileges" : true` in /etc/docker/daemon.json
2. Restart docker daemon `systemctl restart docker.service`
3. `docker info` or inspect any of the running containers.
### Expected behavior
Security Options should get updated with no-new-privileges.
### docker version
```bash
Client: Docker Engine - Community
Version: 20.10.14
API version: 1.41
Go version: go1.18.8
Git commit: a224086
Built: Fri Mar 10 06:34:07 2023
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.14
API version: 1.41 (minimum version 1.12)
Go version: go1.18.8
Git commit: 87a90dc
Built: Fri Mar 10 06:34:43 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.8
GitCommit: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc:
Version: 1.1.4
GitCommit:
docker-init:
Version: 0.19.0
GitCommit: de40ad0
docker info
Client:
Context: default
Debug Mode: false
Server:
Containers: 1
Running: 1
Paused: 0
Stopped: 0
Images: 1
Server Version: 20.10.14
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: cgroupfs
Cgroup Version: 1
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9cd3357b7fd7218e4aec3eae239db1f68a5a6ec6
runc version:
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: default
Kernel Version: 4.19.272-5.ph3
Operating System: VMware Photon OS/Linux
OSType: linux
Architecture: x86_64
CPUs: 2
Total Memory: 7.79GiB
Name: dev
ID: IHGB:CS7S:TBII:XS4W:Q42N:YDUL:ZGDW:IETH:3WZG:Q6NG:ASMS:AKBC
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: true
Product License: Community Engine
Additional Info
No response
Description
If we enable
"no-new-privileges" : truein/etc/docker/daemon.json. Security Options are not getting updated even after docker restart.docker infois not showing whether no-new-privileges is enabled or not. Also if we try to inspect individual docker containerSecurityOptfield is null.Also, if i spawn a container using docker-run and pass --security-opt=no-new-privileges, then docker container SecurityOpts is getting update (non-null value)
Following is the content of daemon.json
docker info
Additional Info
No response