Add daemon flag to set no_new_priv as default for unprivileged containers.

Signed-off-by: Daniel Zhang <jmzwcn@gmail.com>
This commit is contained in:
Daniel Zhang 2017-01-09 09:22:05 +08:00 committed by Tibor Vass
parent 1328bb4440
commit 218740abc7
2 changed files with 3 additions and 1 deletions

View File

@ -70,6 +70,7 @@ Options:
--max-concurrent-uploads int Set the max concurrent uploads for each push (default 5)
--metrics-addr string Set address and port to serve the metrics api (default "")
--mtu int Set the containers network MTU
--no-new-privileges Disable container processes from gaining new privileges
--oom-score-adjust int Set the oom_score_adj for the daemon (default -500)
-p, --pidfile string Path to use for daemon PID file (default "/var/run/docker.pid")
--raw-logs Full timestamps without ANSI coloring
@ -1190,6 +1191,7 @@ This is a full example of the allowed configuration options on Linux:
"seccomp-profile": "",
"insecure-registries": [],
"disable-legacy-registry": false,
"no-new-privileges": false,
"default-runtime": "runc",
"oom-score-adjust": -500,
"runtimes": {

View File

@ -630,7 +630,7 @@ with the same logic -- if the original volume was specified with a name it will
--security-opt="label=level:LEVEL" : Set the label level for the container
--security-opt="label=disable" : Turn off label confinement for the container
--security-opt="apparmor=PROFILE" : Set the apparmor profile to be applied to the container
--security-opt="no-new-privileges" : Disable container processes from gaining new privileges
--security-opt="no-new-privileges:true|false" : Disable/enable container processes from gaining new privileges
--security-opt="seccomp=unconfined" : Turn off seccomp confinement for the container
--security-opt="seccomp=profile.json": White listed syscalls seccomp Json file to be used as a seccomp filter