Loading...

Knowledge Center

How to install Application and Change Control on a Docker host system
Technical Articles ID:   KB90073
Last Modified:  3/15/2019
Rated:

Environment

McAfee Application and Change Control (MACC) 6.3.x, 6.2.x, 6.1.7
Docker

Summary

Docker is a third-party container platform that facilitates movement of containers across the hybrid cloud. Docker enables independence between applications, infrastructure, developers, and IT ops creating a model for better collaboration and innovation. This article details the steps that must be taken when installing MACC on a Docker host system.

Solution

Docker requires configuration with devicemapper as storage driver.

NOTE: Removal of old containers and images could be required.

Example Docker package download links:
1.13.1 32-bit 
1.13.1 64-bit 

Installation and configuration steps:
  1. Uninstall the Docker package from your system, if you have one already installed.
  2. Install either Docker 1.13.1 32-bit or 64-bit by running one of the following commands:
yum install -y docker-engine-selinux-1.13.1-1.el7.centos.noarch.rpm (32-bit)
yum install -y docker-engine-1.13.1-1.el7.centos.x86_64.rpm (64-bit)

(Optional) Run the appropriate command to configure your proxies for Docker:
/etc/systemd/system/docker.service.d/http-proxy.conf for HTTP
/etc/systemd/system/docker.service.d/https-proxy.conf for HTTPS
  1. Set 'devicemapper' as the CentOS default storage driver.
    1. Run the command vim /etc/docker/daemon.json
    2. Write: "storage-driver": "devicemapper"
}
  1. Save file.
  1. Run the command systemctl daemon-reload to reload the Docker daemon.
  2. Run the command systemctl restart docker to restart the Docker service.
  3. Run the command sadmin updaters add /usr/bin/dockerd to add the Docker daemon as an "updater" in MACC.
  4. Remove all Docker containers.
    1. List all contains with the command docker container ls -a
    2. Remove each container by ID with the command docker container rm <ID_Number>
NOTE: Substitute the actual container ID number for the word Number (<ID_0>, <ID_1>).
  1. Remove all Docker images.
    1. List all containers with the command docker container ls -a.
    2. Remove each container by repository name with the command docker image rm <NAME_Number>.
NOTE: Substitute the actual image number for the word Number (<NAME_0>, <NAME_1>).
  1. Run the command sadmin so to solidify the system.
  2. Add Docker mount points as trusted directory rules within the McAfee Application Control policy (default path: /var/libdocker/devicemapper/mnt/).
    • For ePO-managed systems, add trusted directory entries in the Application Control Rules policy section titled Directories.
    • For Standalone systems, use the sadmin trusted command. See the appropriate MACC Product Guide for more details.
  3. Run the command sadmin enable to enable MACC.
NOTE: Restart the system if MACC was disabled before step 10.
  1. Test docker and see that it is working with MACC in enable mode. Run the following commands:
docker run hello-world
docker run alpine echo "Docker 1.13.1 works with Solidcore enabled !"

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.