toolshed/docker-cli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add --security-opts options to allow user to customize security configuration

Browse Source 
security-opts will allow you to customise the security subsystem.

For example the labeling system like SELinux will run on a container.

    --security-opt="label:user:USER"   : Set the label user for the container
    --security-opt="label:role:ROLE"   : Set the label role for the container
    --security-opt="label:type:TYPE"   : Set the label type for the container
    --security-opt="label:level:LEVEL" : Set the label level for the container
    --security-opt="label:disabled"    : Turn off label confinement for the container

Since we are passing a list of string options instead of a space separated
string of options, I will change function calls to use InitLabels instead of
GenLabels.  Genlabels interface is Depracated.

Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Upstream-commit: 87e732a0f3503517d7a66804bb9a7f74977347e5
Component: engine
This commit is contained in:
Dan Walsh
2014-09-29 06:44:32 -04:00
committed by Victor Vieux
parent 840410fc66
commit fe37a1db8f
8 changed files with 117 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
components/engine/integration-cli/docker_cli_run_test.go
View File

@ -19,6 +19,7 @@ import (
"github.com/docker/docker/pkg/mount"
"github.com/docker/docker/pkg/networkfs/resolvconf"
"github.com/docker/libcontainer/label"
"github.com/kr/pty"
)
@ -1719,6 +1720,42 @@ func TestRunWriteResolvFileAndNotCommit(t *testing.T) {
logDone("run - write to /etc/resolv.conf and not commited")
}
func TestRunSecurityOptLevel(t *testing.T) {
plabel, _, _ := label.InitLabels(nil)
if plabel != "" {
defer deleteAllContainers()
cmd := exec.Command(dockerBinary, "run", "--security-opt", "label:level:s0:c0,c100", "busybox", "ps", "-eZ")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err, out)
}
id := strings.TrimSpace(out)
if !strings.ContainsAny(id, "s0:c0,c100") {
t.Fatal("security-opt label:level:s0:c0,c100 failed")
}
}
logDone("run - security-opt label:level")
}
func TestRunSecurityOptDisable(t *testing.T) {
plabel, _, _ := label.InitLabels(nil)
if plabel != "" {
defer deleteAllContainers()
cmd := exec.Command(dockerBinary, "run", "--security-opt", "label:disable", "busybox", "ps", "-eZ")
out, _, err := runCommandWithOutput(cmd)
if err != nil {
t.Fatal(err, out)
}
id := strings.TrimSpace(out)
if !strings.ContainsAny(id, "svirt") {
t.Fatal("security-opt label:level:disable failed")
}
}
logDone("run - security-opt label:disable")
}
func TestRunWithBadDevice(t *testing.T) {
name := "baddevice"
cmd := exec.Command(dockerBinary, "run", "--name", name, "--device", "/etc", "busybox", "true")