On hardened systems, several problems can stop Cyberwatch from correctly working, depending on the system configurations.
This documentation lists the usual hardening methods susceptible to interfere with Docker and how to disable or adapt these configurations when necessary.
Having SELinux enabled can cause problems to Docker and its containers.
It is possible to disable SELinux by adding to the
/etc/selinux/config file the following line:
If SELinux must be enabled, it is possible to configure it without impacting Docker using our documentation: configure SELinux with Swarm
net.ipv4.ip_forward parameter disabled can stop Docker from correctly forwarding network communications with the containers. In this case, enable the
net.ipv4.ip_forward parameter by modifying the
net.ipv4.ip_forward = 1
/var/lib/docker/ directory, which is Docker’s default directory, must have the
exec option enabled.
To allow execution on this directory, use the command:
mount -o remount,exec
The following kernel modules must be enabled through
This can be achieved using the following commands:
cat <<EOL >> /etc/sysconfig/modules/docker_prerequisites.modules
chmod +x /etc/sysconfig/modules/docker_prerequisites.modules
Above commands will create a
/etc/sysconfig/modules/docker_prerequisites.modules file with the necessary parameters and add execution rights to this file.
firewalld service can in some cases also be problematic for the communication between containers, or between the containers and the Internet.
Stopping and disabling the
firewalld service is therefore recommended:
systemctl stop firewalld
systemctl disable firewalld
We recommend that the system hosting the Cyberwatch application have the latest available system and applications updates.
This specifically applies to hardened systems, since they may not have been updated for a long time.
Some resources can help verify the compatibility between the kernel and its configuration with containers execution: