Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

docs: move info about --security-opt to docker run reference 

Signed-off-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson 2023-11-23 14:13:24 +01:00
parent f98444490f
commit 92c664b0dc
2 changed files with 56 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
docs/reference/commandline/run.md
View File

@ -1206,7 +1206,62 @@ in the image, or `SIGTERM` if the image has no `STOPSIGNAL` defined.
### <a name="security-opt"></a> Optional security options (--security-opt) ### <a name="security-opt"></a> Optional security options (--security-opt)
On Windows, you can use this flag to specify the `credentialspec` option. | Option | Description |
|:------------------------------------------|:--------------------------------------------------------------------------|
| `--security-opt="label=user:USER"` | Set the label user for the container |
| `--security-opt="label=role:ROLE"` | Set the label role for the container |
| `--security-opt="label=type:TYPE"` | Set the label type for the container |
| `--security-opt="label=level:LEVEL"` | Set the label level for the container |
| `--security-opt="label=disable"` | Turn off label confinement for the container |
| `--security-opt="apparmor=PROFILE"` | Set the apparmor profile to be applied to the container |
| `--security-opt="no-new-privileges=true"` | Disable container processes from gaining new privileges |
| `--security-opt="seccomp=unconfined"` | Turn off seccomp confinement for the container |
| `--security-opt="seccomp=profile.json"` | White-listed syscalls seccomp Json file to be used as a seccomp filter |
The `--security-opt` flag lets you override the default labeling scheme for a
container. Specifying the level in the following command allows you to share
the same content between containers.
```console
$ docker run --security-opt label=level:s0:c100,c200 -it fedora bash
```
> **Note**
>
> Automatic translation of MLS labels isn't supported.
To disable the security labeling for a container entirely, you can use
`label=disable`:
```console
$ docker run --security-opt label=disable -it ubuntu bash
```
If you want a tighter security policy on the processes within a container, you
can specify a custom `type` label. The following example runs a container
that's only allowed to listen on Apache ports:
```console
$ docker run --security-opt label=type:svirt_apache_t -it ubuntu bash
```
> **Note**
>
> You would have to write policy defining a `svirt_apache_t` type.
To prevent your container processes from gaining additional privileges, you can
use the following command:
```console
$ docker run --security-opt no-new-privileges -it ubuntu bash
```
This means that commands that raise privileges such as `su` or `sudo` will no longer work.
It also causes any seccomp filters to be applied later, after privileges have been dropped
which may mean you can have a more restrictive set of filters.
For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
On Windows, you can use the `--security-opt` flag to specify the `credentialspec` option.
The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`. The `credentialspec` must be in the format `file://spec.txt` or `registry://keyname`.
### <a name="stop-timeout"></a> Stop container with timeout (--stop-timeout) ### <a name="stop-timeout"></a> Stop container with timeout (--stop-timeout)

59
docs/reference/run.md
View File

@ -241,65 +241,6 @@ $ echo $?
3 3
``` ```
## Security configuration
| Option | Description |
|:------------------------------------------|:--------------------------------------------------------------------------|
| `--security-opt="label=user:USER"` | Set the label user for the container |
| `--security-opt="label=role:ROLE"` | Set the label role for the container |
| `--security-opt="label=type:TYPE"` | Set the label type for the container |
| `--security-opt="label=level:LEVEL"` | Set the label level for the container |
| `--security-opt="label=disable"` | Turn off label confinement for the container |
| `--security-opt="apparmor=PROFILE"` | Set the apparmor profile to be applied to the container |
| `--security-opt="no-new-privileges=true"` | Disable container processes from gaining new privileges |
| `--security-opt="seccomp=unconfined"` | Turn off seccomp confinement for the container |
| `--security-opt="seccomp=profile.json"` | White-listed syscalls seccomp Json file to be used as a seccomp filter |
You can override the default labeling scheme for each container by specifying
the `--security-opt` flag. Specifying the level in the following command
allows you to share the same content between containers.
```console
$ docker run --security-opt label=level:s0:c100,c200 -it fedora bash
```
> **Note**
>
> Automatic translation of MLS labels is not currently supported.
To disable the security labeling for this container versus running with the
`--privileged` flag, use the following command:
```console
$ docker run --security-opt label=disable -it fedora bash
```
If you want a tighter security policy on the processes within a container,
you can specify an alternate type for the container. You could run a container
that is only allowed to listen on Apache ports by executing the following
command:
```console
$ docker run --security-opt label=type:svirt_apache_t -it centos bash
```
> **Note**
>
> You would have to write policy defining a `svirt_apache_t` type.
If you want to prevent your container processes from gaining additional
privileges, you can execute the following command:
```console
$ docker run --security-opt no-new-privileges -it centos bash
```
This means that commands that raise privileges such as `su` or `sudo` will no longer work.
It also causes any seccomp filters to be applied later, after privileges have been dropped
which may mean you can have a more restrictive set of filters.
For more details, see the [kernel documentation](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt).
## Specify an init process ## Specify an init process
You can use the `--init` flag to indicate that an init process should be used as You can use the `--init` flag to indicate that an init process should be used as