Consolidate security options to use `=` as separator.

All other options we have use `=` as separator, labels, log configurations, graph configurations and so on. We should be consistent and use `=` for the security options too. Signed-off-by: David Calavera <david.calavera@gmail.com>
2016-03-15 18:34:29 -04:00 · 2016-03-15 18:34:29 -04:00 · a7364b3743
parent 7160fa70e3
commit a7364b3743
4 changed files with 32 additions and 28 deletions
--- a/contrib/completion/bash/docker
+++ b/contrib/completion/bash/docker
@ -1788,17 +1788,17 @@ _docker_run() {
 			;;
 		--security-opt)
 			case "$cur" in
-				label:*:*)
+				label=*:*)
 					;;
-				label:*)
-					local cur=${cur##*:}
+				label=*)
+					local cur=${cur##*=}
 					COMPREPLY=( $( compgen -W "user: role: type: level: disable" -- "$cur") )
 					if [ "${COMPREPLY[*]}" != "disable" ] ; then
 						__docker_nospace
 					fi
 					;;
-				seccomp:*)
-					local cur=${cur##*:}
+				seccomp=*)
+					local cur=${cur##*=}
 					_filedir
 					COMPREPLY+=( $( compgen -W "unconfined" -- "$cur" ) )
 					;;
--- a/docs/deprecated.md
+++ b/docs/deprecated.md
@ -21,6 +21,8 @@ The following list of features are deprecated in Engine.

 The docker login command is removing the ability to automatically register for an account with the target registry if the given username doesn't exist. Due to this change, the email flag is no longer required, and will be deprecated.

+The flag `--security-opt` doesn't use the colon separator(`:`) anymore to divide keys and values, it uses the equal symbol(`=`) for consinstency with other similar flags, like `--storage-opt`.
+
 ### Ambiguous event fields in API
 **Deprecated In Release: v1.10**

--- a/docs/reference/run.md
+++ b/docs/reference/run.md
@ -599,12 +599,12 @@ but the volume for `/bar` will not. Volumes inheritted via `--volumes-from` will
 with the same logic -- if the original volume was specified with a name it will **not** be removed.

 ## Security configuration
-    --security-opt="label:user:USER"   : Set the label user for the container
-    --security-opt="label:role:ROLE"   : Set the label role for the container
-    --security-opt="label:type:TYPE"   : Set the label type for the container
-    --security-opt="label:level:LEVEL" : Set the label level for the container
-    --security-opt="label:disable"     : Turn off label confinement for the container
-    --security-opt="apparmor:PROFILE"  : Set the apparmor profile to be applied
+    --security-opt="label=user:USER"   : Set the label user for the container
+    --security-opt="label=role:ROLE"   : Set the label role for the container
+    --security-opt="label=type:TYPE"   : Set the label type for the container
+    --security-opt="label=level:LEVEL" : Set the label level for the container
+    --security-opt="label=disable"     : Turn off label confinement for the container
+    --security-opt="apparmor=PROFILE"  : Set the apparmor profile to be applied
                                         to the container
    --security-opt="no-new-privileges" : Disable container processes from gaining
                                         new privileges
@ -617,23 +617,23 @@ the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
 requirement for MLS systems. Specifying the level in the following command
 allows you to share the same content between containers.

-    $ docker run --security-opt label:level:s0:c100,c200 -it fedora bash
+    $ docker run --security-opt label=level:s0:c100,c200 -it fedora bash

 An MLS example might be:

-    $ docker run --security-opt label:level:TopSecret -it rhel7 bash
+    $ docker run --security-opt label=level:TopSecret -it rhel7 bash

 To disable the security labeling for this container versus running with the
 `--permissive` flag, use the following command:

-    $ docker run --security-opt label:disable -it fedora bash
+    $ docker run --security-opt label=disable -it fedora bash

 If you want a tighter security policy on the processes within a container,
 you can specify an alternate type for the container. You could run a container
 that is only allowed to listen on Apache ports by executing the following
 command:

-    $ docker run --security-opt label:type:svirt_apache_t -it centos bash
+    $ docker run --security-opt label=type:svirt_apache_t -it centos bash

 > **Note**: You would have to write policy defining a `svirt_apache_t` type.

@ -1078,7 +1078,7 @@ one can use this flag:
 > these cases to create your own custom seccomp profile based off our
 > [default](https://github.com/docker/docker/blob/master/profiles/seccomp/default.json).
 > Or if you don't want to run with the default seccomp profile, you can pass
-> `--security-opt=seccomp:unconfined` on run.
+> `--security-opt=seccomp=unconfined` on run.

 By default, Docker containers are "unprivileged" and cannot, for
 example, run a Docker daemon inside a Docker container. This is because
--- a/man/docker-run.1.md
+++ b/man/docker-run.1.md
@ -463,16 +463,18 @@ its root filesystem mounted as read only prohibiting any writes.
 **--security-opt**=[]
   Security Options

-   "label:user:USER"   : Set the label user for the container
-    "label:role:ROLE"   : Set the label role for the container
-    "label:type:TYPE"   : Set the label type for the container
-    "label:level:LEVEL" : Set the label level for the container
-    "label:disable"     : Turn off label confinement for the container
-
+    "label=user:USER"   : Set the label user for the container
+    "label=role:ROLE"   : Set the label role for the container
+    "label=type:TYPE"   : Set the label type for the container
+    "label=level:LEVEL" : Set the label level for the container
+    "label=disable"     : Turn off label confinement for the container
    "no-new-privileges" : Disable container processes from gaining additional privileges

-    "seccomp:unconfined" : Turn off seccomp confinement for the container
-    "seccomp:profile.json :  White listed syscalls seccomp Json file to be used as a seccomp filter
+    "seccomp=unconfined" : Turn off seccomp confinement for the container
+    "seccomp=profile.json :  White listed syscalls seccomp Json file to be used as a seccomp filter
+
+    "apparmor=unconfined" : Turn off apparmor confinement for the container
+    "apparmor=your-profile" : Set the apparmor confinement profile for the container

 **--stop-signal**=*SIGTERM*
  Signal to stop a container. Default is SIGTERM.
@ -880,23 +882,23 @@ the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
 requirement for MLS systems. Specifying the level in the following command
 allows you to share the same content between containers.

-    # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
+    # docker run --security-opt label=level:s0:c100,c200 -i -t fedora bash

 An MLS example might be:

-    # docker run --security-opt label:level:TopSecret -i -t rhel7 bash
+    # docker run --security-opt label=level:TopSecret -i -t rhel7 bash

 To disable the security labeling for this container versus running with the
 `--permissive` flag, use the following command:

-    # docker run --security-opt label:disable -i -t fedora bash
+    # docker run --security-opt label=disable -i -t fedora bash

 If you want a tighter security policy on the processes within a container,
 you can specify an alternate type for the container. You could run a container
 that is only allowed to listen on Apache ports by executing the following
 command:

-    # docker run --security-opt label:type:svirt_apache_t -i -t centos bash
+    # docker run --security-opt label=type:svirt_apache_t -i -t centos bash

 Note: