Enable/Disable AppArmor on a HostΒΆ
By default, AppArmor is disabled on a host. It can be enabled in the kernel using system CLI commands as follows. In the below example AppArmor is enabled on controller-0.
Note
Enabling AppArmor can result in some performance degradation, see StarlingX System Engineering Guidelines.
Note
On a multi-host configuration, AppArmor should be enabled on all hosts to ensure that the AppArmor profiles are loaded on any host where a pod may be scheduled by kubernetes.
To enable AppArmor on a host, run the following commands:
~(keystone_admin)]$ system host-lock controller-0 ~(keystone_admin)]$ system host-update controller-0 apparmor=enabled ~(keystone_admin)]$ system host-unlock controller-0
Wait for controller-0 to reset and return to an unlocked/enabled/available state.
Verify if AppArmor is enabled by running the following commands on the host.
sysadmin@controller-0:~$ aa-enabled Yes
To disable AppArmor on a host, run the following commands.
In the below example AppArmor is disabled on controller-0.
~(keystone_admin)]$ system host-lock controller-0 ~(keystone_admin)]$ system host-update controller-0 apparmor=disabled ~(keystone_admin)]$ system host-unlock controller-0
Wait for controller-0 to reset and return to an unlocked/enabled/available state.
Verify if AppArmor is disabled by running the following commands on the host.
sysadmin@controller-0:~$ aa-enabled No
