Recent updates:

Date	Update
March 24, 2021	Updated the note about the devicemapper and overlay2 storage drivers. Added a note about Docker version 18.09 and RHEL 8.x.

Docker is a third-party container platform that facilitates movement of containers across the hybrid cloud. Docker enables independence between applications, infrastructure, developers, and IT operations. This independence enables better collaboration and innovation. This article explains how to install MACC on a Docker host system.

IMPORTANT: Docker requires configuration with devicemapper as the storage driver. Other storage drivers might present issues when enforcing file or application execution protection. So, do not use a storage driver other than devicemapper with MACC.

NOTE: The devicemapper storage driver is deprecated in Docker 18.09 and later versions. Docker recommends that devicemapper storage driver users migrate to overlay2, but the MACC product currently does not support the overlay2 driver. Support for the overlay2 driver is being considered for a future MACC version. While the Docker v18.09 and later software installs on a MACC client, containers are not supported nor can be started because of the overlay2 driver.

NOTE: Docker version 18.09 and later versions are not supported on RHEL 8.x with the MACC product, even if you use the devicemapper storage driver. Support for the overlay2 driver is being considered for a future MACC version.



For more information, see the Docker Documentation at: https://docs.docker.com/storage/storagedriver/select-storage-driver/.

NOTE: You might need to remove old containers and images. Example Docker packages:

• 1.13.1 32-bit 
• 1.13.1 64-bit

To install Application and Change Control for Linux on a Docker host system:

1. Uninstall the Docker package from your system, if you have one already installed.
2. Install either Docker 1.13.1 32-bit or 64-bit by running one of the following commands:
    
   • 32-bit: yum install -y docker-engine-selinux-1.13.1-1.el7.centos.noarch.rpm
   • 64-bit: yum install -y docker-engine-1.13.1-1.el7.centos.x86_64.rpm
    
   (Optional) Run the appropriate command to configure your proxies for Docker:
    
   • HTTP: /etc/systemd/system/docker.service.d/http-proxy.conf 
   • HTTPS: /etc/systemd/system/docker.service.d/https-proxy.conf  
      
3. Set devicemapper as the CentOS default storage driver:
   1. Run the command vim /etc/docker/daemon.json
   2. Write: { "storage-driver": "devicemapper"

3. Save the file.

4. To reload the Docker daemon, run the command systemctl daemon-reload.
5. To restart the Docker service, run the command systemctl restart docker.
6. To add the Docker daemon as an updater in MACC, run the following commands: 
    
   sadmin updaters add "/usr/bin/dockerd"
   sadmin updaters add "/usr/bin/docker"
   sadmin updaters add "/usr/bin/runc"

             sadmin updaters add "containerd"

7. Remove all Docker containers:
   1. List all contains with the command docker container ls -a. 
   2. Remove each container by ID with the command docker container rm <ID_Number>. 

8. Remove all Docker images:
   1. List all containers with the command docker container ls -a.
   2. Remove each container by repository name with the command docker image rm <NAME_Number>.

9. To solidify the system, run the command sadmin so.
10. Add Docker mount points as trusted directory rules within the McAfee Application Control policy (default path: /var/libdocker/devicemapper/mnt/).
    • For ePO-managed systems, add trusted directory entries in the Application Control Rules policy section titled Directories.
    • For Standalone systems, use the sadmin trusted command. See the appropriate MACC product guide for more details.
11. To enable MACC, run the command sadmin enable.

12. Test Docker to confirm that it is working with MACC in enable mode. Run the following commands:
    
    docker run hello-world
    docker run alpine echo "Docker 1.13.1 works with Solidcore enabled !"