IMPORTANT: Docker requires configuration with
devicemapper as the storage driver. Other storage drivers might present issues when enforcing file or application execution protection. Storage drivers other than devicemapper are discouraged when used with MACC.
NOTE: Removal of old containers and images could be required.
Example Docker package download links:
1.13.1 32-bit
1.13.1 64-bit
Installation and configuration steps:
- Uninstall the Docker package from your system, if you have one already installed.
- Install either Docker 1.13.1 32-bit or 64-bit by running one of the following commands:
- 32-bit: yum install -y docker-engine-selinux-1.13.1-1.el7.centos.noarch.rpm
- 64-bit: yum install -y docker-engine-1.13.1-1.el7.centos.x86_64.rpm
(Optional) Run the appropriate command to configure your proxies for Docker:
HTTP: /etc/systemd/system/docker.service.d/http-proxy.conf
HTTPS/etc/systemd/system/docker.service.d/https-proxy.conf
- Set 'devicemapper' as the CentOS default storage driver:
- Run the command vim /etc/docker/daemon.json
- Write: { "storage-driver": "devicemapper"
}
- Save the file.
- Run the command systemctl daemon-reload to reload the Docker daemon.
- Run the command systemctl restart docker to restart the Docker service.
- Run the command sadmin updaters add /usr/bin/dockerd to add the Docker daemon as an "updater" in MACC.
- Remove all Docker containers:
- List all contains with the command docker container ls -a.
- Remove each container by ID with the command docker container rm <ID_Number>.
NOTE: Substitute the actual container ID number for the word Number (<ID_0>, <ID_1>).
- Remove all Docker images.
- List all containers with the command docker container ls -a.
- Remove each container by repository name with the command docker image rm <NAME_Number>.
NOTE: Substitute the actual image number for the word Number (<NAME_0>, <NAME_1>).
- Run the command sadmin so to solidify the system.
- Add Docker mount points as trusted directory rules within the McAfee Application Control policy (default path: /var/libdocker/devicemapper/mnt/).
- For ePO-managed systems, add trusted directory entries in the Application Control Rules policy section titled Directories.
- For Standalone systems, use the sadmin trusted command. See the appropriate MACC Product Guide for more details.
- Run the command sadmin enable to enable MACC.
NOTE: Restart the system if MACC was disabled before step 10.
- Test docker and see that it is working with MACC in enable mode. Run the following commands:
docker run hello-world
docker run alpine echo "Docker 1.13.1 works with Solidcore enabled !"
