toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add --security-opts options to allow user to customize security configuration

Browse Source 
security-opts will allow you to customise the security subsystem.

For example the labeling system like SELinux will run on a container.

    --security-opt="label:user:USER"   : Set the label user for the container
    --security-opt="label:role:ROLE"   : Set the label role for the container
    --security-opt="label:type:TYPE"   : Set the label type for the container
    --security-opt="label:level:LEVEL" : Set the label level for the container
    --security-opt="label:disabled"    : Turn off label confinement for the container

Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels.  Genlabels interface is Depracated.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
This commit is contained in:
Dan Walsh
2014-09-29 06:44:32 -04:00
committed by Tibor Vass
parent 6f116d084a
commit 5619082f2b
2 changed files with 29 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
docs/sources/reference/run.md
View File

@ -225,6 +225,32 @@ the container exits**, you can add the `--rm` flag:
--rm=false: Automatically remove the container when it exits (incompatible with -d)
## Security Configuration
--security-opt="label:user:USER" : Set the label user for the container
--security-opt="label:role:ROLE" : Set the label role for the container
--security-opt="label:type:TYPE" : Set the label type for the container
--security-opt="label:level:LEVEL" : Set the label level for the container
--security-opt="label:disable" : Turn off label confinement for the container
If you want to use the same label for multiple containers you can override use
the security-opt flag to select an MCS level. This is a common practive for MLS
systems. But it also might help in cases where you want to share the same
content between containers. Run the following command.
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
Run the follwing command if you want to disable the labeling controls for just
this container.
# docker run --security-opt label:disable -i -t fedora bash
If you decide you would like to work with a tighter policy on your container.
For example if you want to run a container that could only listen on apache
ports, and not connect to the network. You could select an alternate type to
run the container execute the following command.
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash
## Runtime Constraints on CPU and Memory
The operator can also adjust the performance parameters of the