From 5619082f2bbd47a9bbeb710626da310c1ed072bf Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Mon, 29 Sep 2014 06:44:32 -0400 Subject: [PATCH] Add --security-opts options to allow user to customize security configuration security-opts will allow you to customise the security subsystem. For example the labeling system like SELinux will run on a container. --security-opt="label:user:USER" : Set the label user for the container --security-opt="label:role:ROLE" : Set the label role for the container --security-opt="label:type:TYPE" : Set the label type for the container --security-opt="label:level:LEVEL" : Set the label level for the container --security-opt="label:disabled" : Turn off label confinement for the container Since we are passing a list of string options instead of a space separated string of options, I will change function calls to use InitLabels instead of GenLabels. Genlabels interface is Depracated. Docker-DCO-1.1-Signed-off-by: Dan Walsh (github: rhatdan) --- contrib/completion/bash/docker | 5 +++-- docs/sources/reference/run.md | 26 ++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index b88f64d59d..3cc85be203 100755 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -620,10 +620,11 @@ _docker_run() case "$cur" in -*) - COMPREPLY=( $( compgen -W "--rm -d --detach -n --networking --privileged -P --publish-all -i --interactive -t --tty --cidfile --entrypoint -h --hostname -m --memory -u --user -w --workdir --cpuset -c --cpu-shares --sig-proxy --name -a --attach -v --volume --link -e --env -p --publish --expose --dns --volumes-from --lxc-conf" -- "$cur" ) ) + COMPREPLY=( $( compgen -W "--rm -d --detach -n --networking --privileged -P --publish-all -i --interactive -t --tty --cidfile --entrypoint -h --hostname -m --memory -u --user -w --workdir --cpuset -c --cpu-shares --sig-proxy --name -a --attach -v --volume --link -e --env -p --publish --expose --dns --volumes-from --lxc-conf --security-opt" -- "$cur" ) ) ;; *) - local counter=$(__docker_pos_first_nonflag '--cidfile|--volumes-from|-v|--volume|-e|--env|--entrypoint|-h|--hostname|-m|--memory|-u|--user|-w|--workdir|--cpuset|-c|--cpu-shares|-n|--name|-a|--attach|--link|-p|--publish|--expose|--dns|--lxc-conf') + + local counter=$(__docker_pos_first_nonflag '--cidfile|--volumes-from|-v|--volume|-e|--env|--entrypoint|-h|--hostname|-m|--memory|-u|--user|-w|--workdir|--cpuset|-c|--cpu-shares|-n|--name|-a|--attach|--link|-p|--publish|--expose|--dns|--lxc-conf|--security-opt') if [ $cword -eq $counter ]; then __docker_image_repos_and_tags_and_ids diff --git a/docs/sources/reference/run.md b/docs/sources/reference/run.md index 5bdaa256d6..095319f133 100644 --- a/docs/sources/reference/run.md +++ b/docs/sources/reference/run.md @@ -225,6 +225,32 @@ the container exits**, you can add the `--rm` flag: --rm=false: Automatically remove the container when it exits (incompatible with -d) +## Security Configuration + --security-opt="label:user:USER" : Set the label user for the container + --security-opt="label:role:ROLE" : Set the label role for the container + --security-opt="label:type:TYPE" : Set the label type for the container + --security-opt="label:level:LEVEL" : Set the label level for the container + --security-opt="label:disable" : Turn off label confinement for the container + +If you want to use the same label for multiple containers you can override use +the security-opt flag to select an MCS level. This is a common practive for MLS +systems. But it also might help in cases where you want to share the same +content between containers. Run the following command. + + # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash + +Run the follwing command if you want to disable the labeling controls for just +this container. + + # docker run --security-opt label:disable -i -t fedora bash + +If you decide you would like to work with a tighter policy on your container. +For example if you want to run a container that could only listen on apache +ports, and not connect to the network. You could select an alternate type to +run the container execute the following command. + + # docker run --security-opt label:type:svirt_apache_t -i -t fedora bash + ## Runtime Constraints on CPU and Memory The operator can also adjust the performance parameters of the