Server Setup » Platforms » Linux
Conjur and Docker Containers on Linux
A Conjur appliance running on Linux uses the Linux Kernel Session Keyring to securely store the Conjur decryption key. When Conjur starts, a session keyring is created. This session keyring is only available to the Conjur process running inside the container.
Docker disables access to the kernel keyring by default. (The Linux kernel keyring subsystem is rarely used by applications and does not support namespacing, which is how Docker provides isolation between containers.)
To provide Conjur with access to the keyring subsystem, there are two options:
- start the container with the
unconfinedseccomp setting, or
- provide a custom seccomp configuration.
In non-production environments, setting
seccomp to use the
unconfined profile is the simplest option. The following command removes seccomp confinement. Other security restrictions, such as SELinux or AppArmor, are still enforced.
$ docker run -d --security-opt seccomp:unconfined ...
In production environments, we recommend running Conjur with a security profile that adds only the required permissions for the system calls to work with the kernel session keyring. A sample profile is available on this site for review and usage.
The profile file must be available to Docker on every Conjur machine before the Conjur container is started. With the file in place, use the following command to start the Conjur container:
$ docker run -d --security-opt seccomp:/path/to/conjur-seccomp.json ...