Recent updates:
Date |
Update |
December 14, 2021 |
Updated the note about the devicemapper and overlay2 storage drivers. |
Docker is a third-party container platform that facilitates movement of containers across the hybrid cloud. Docker enables independence between applications, infrastructure, developers, and IT operations. This independence enables better collaboration and innovation. This article explains how to install MACC on a Docker host system.
IMPORTANT: MACC works fine with
overlay2 (6.4.18 and later) and
devicemapper as storage drivers, as supported by docker. For more information about how to select storage driver, see the
Docker Documentation.
NOTE: You can check the Storage Driver on docker CLI by using the command below:
docker info | grep "Storage Driver"
Storage Driver: devicemapper
To install Application and Change Control for Linux on a Docker host system (if the storage driver is devicemapper):
- To add the Docker daemon as an updater in MACC, run the following commands:
sadmin updaters add "/usr/bin/dockerd"
sadmin updaters add "/usr/bin/docker"
sadmin updaters add "/usr/bin/runc"
sadmin updaters add "containerd"
sadmin updaters add "containerd-shim"
- Remove all Docker containers:
- List all containers with the command docker container ls -a.
- Remove each container by ID with the command docker container rm <ID_Number>.
NOTE: Substitute the actual container ID number for the word Number (<ID_0>, <ID_1>).
- Remove all Docker images:
- List all containers with the command docker container ls -a.
- Remove each container by repository name with the command docker image rm <NAME_Number>.
NOTE: Substitute the actual image number for the word Number (<NAME_0>, <NAME_1>).
- To solidify the system, run the command sadmin so.
- Add Docker mount points as trusted directory rules within the McAfee Application Control policy (default path: /var/lib/docker/devicemapper/mnt/).
- For ePO-managed systems, add trusted directory entries in the Application Control Rules policy section titled Directories.
- For Standalone systems, use the sadmin trusted command. See the appropriate MACC product guide for more details.
- To enable MACC, run the command sadmin enable.
NOTE: Restart the system if MACC is disabled before step 5.
- Test Docker to confirm that it’s working with MACC in enable mode.
To install Application and Change Control for Linux on a Docker host system (in case if storage driver is overlay2):
NOTE: Docker overlay2 support is added for 6.4.18 and later.
- Remove all Docker containers:
- List all containers with the command docker container ls -a.
- Remove each container by ID with the command docker container rm <ID_Number>.
NOTE: Substitute the actual container ID number for the word Number (<ID_0>, <ID_1>).
- Remove all Docker images:
- List all containers with the command docker container ls -a.
- Remove each container by repository name with the command docker image rm <NAME_Number>.
NOTE: Substitute the actual image number for the word Number (<NAME_0>, <NAME_1>).
- To solidify the system, run the command sadmin so.
- Add Docker mount points as trusted directory rules within the McAfee Application Control policy (default path: /var/lib/docker/overlay2).
- For ePO-managed systems, add trusted directory entries in the Application Control Rules policy section titled Directories.
- For Standalone systems, use the sadmin trusted command. See the appropriate MACC product guide for more details.
- To enable MACC, run the command sadmin enable.
NOTE: Restart the system if MACC is disabled before step 4.
- Test Docker to confirm that it’s working with MACC in enable mode.
NOTE: The Ideas forum replaces the previous Product Enhancement Request system.