-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --security-opts options to allow user to customize container labels. #7425
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,7 @@ docker-run - Run a command in a new container | |
[**--expose**[=*[]*]] | ||
[**-h**|**--hostname**[=*HOSTNAME*]] | ||
[**-i**|**--interactive**[=*false*]] | ||
[**--security-opt**[=*[]*]] | ||
[**--link**[=*[]*]] | ||
[**--lxc-conf**[=*[]*]] | ||
[**-m**|**--memory**[=*MEMORY*]] | ||
|
@@ -143,6 +144,13 @@ container can be started with the **--link**. | |
**-i**, **--interactive**=*true*|*false* | ||
When set to true, keep stdin open even if not attached. The default is false. | ||
|
||
**--security-opt**=*secdriver*:*name*:*value* | ||
"label:user:USER" : Set the label user for the container | ||
"label:role:ROLE" : Set the label role for the container | ||
"label:type:TYPE" : Set the label type for the container | ||
"label:level:LEVEL" : Set the label level for the container | ||
"label:disable" : Turn off label confinement for the container | ||
|
||
**--link**=*name*:*alias* | ||
Add link to another container. The format is name:alias. If the operator | ||
uses **--link** when starting the new client container, then the client | ||
|
@@ -383,6 +391,29 @@ to the host directory: | |
Now, writing to the /data1 volume in the container will be allowed and the | ||
changes will also be reflected on the host in /var/db. | ||
|
||
## Using alternative security labeling | ||
|
||
If you want to use the same label for multiple containers you can override use | ||
the security-opt flag to select an MCS level. This is a common practive for MLS | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Need a comma after "containers" or maybe after "override". I can't quite tell where that dependent clause is supposed to end. Maybe there's a missing word or something too, the independent clause doesn't quite make sense. |
||
systems. But it also might help in cases where you want to share the same | ||
content between containers. Run the following command. | ||
|
||
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash | ||
|
||
Run the follwing command if you want to disable the labeling controls for just | ||
this container. | ||
|
||
# docker run --security-opt label:disable -i -t fedora bash | ||
|
||
If you decide you would like to work with a tighter policy on your container. | ||
For example if you want to run a container that could only listen on apache | ||
ports, and not connect to the network. You could select an alternate type to | ||
run the container execute the following command. | ||
|
||
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash | ||
|
||
Note: You would have to write policy defining a svirt_apache_t type. | ||
|
||
# HISTORY | ||
April 2014, Originally compiled by William Henry (whenry at redhat dot com) | ||
based on docker.com source material and internal work. | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -225,6 +225,32 @@ the container exits**, you can add the `--rm` flag: | |
|
||
--rm=false: Automatically remove the container when it exits (incompatible with -d) | ||
|
||
## Security Configuration | ||
--security-opt="label:user:USER" : Set the label user for the container | ||
--security-opt="label:role:ROLE" : Set the label role for the container | ||
--security-opt="label:type:TYPE" : Set the label type for the container | ||
--security-opt="label:level:LEVEL" : Set the label level for the container | ||
--security-opt="label:disable" : Turn off label confinement for the container | ||
|
||
If you want to use the same label for multiple containers you can override use | ||
the security-opt flag to select an MCS level. This is a common practive for MLS | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ditto |
||
systems. But it also might help in cases where you want to share the same | ||
content between containers. Run the following command. | ||
|
||
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash | ||
|
||
Run the follwing command if you want to disable the labeling controls for just | ||
this container. | ||
|
||
# docker run --security-opt label:disable -i -t fedora bash | ||
|
||
If you decide you would like to work with a tighter policy on your container. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not a complete sentence. |
||
For example if you want to run a container that could only listen on apache | ||
ports, and not connect to the network. You could select an alternate type to | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not a complete sentence; need a comma after "example". |
||
run the container execute the following command. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. should be "by executing the following command" ? |
||
|
||
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash | ||
|
||
## Runtime Constraints on CPU and Memory | ||
|
||
The operator can also adjust the performance parameters of the | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,6 +19,7 @@ import ( | |
|
||
"github.com/docker/docker/pkg/mount" | ||
"github.com/docker/docker/pkg/networkfs/resolvconf" | ||
"github.com/docker/libcontainer/label" | ||
"github.com/kr/pty" | ||
) | ||
|
||
|
@@ -1719,6 +1720,42 @@ func TestRunWriteResolvFileAndNotCommit(t *testing.T) { | |
logDone("run - write to /etc/resolv.conf and not commited") | ||
} | ||
|
||
func TestRunSecurityOptLevel(t *testing.T) { | ||
plabel, _, _ := label.InitLabels(nil) | ||
if plabel != "" { | ||
defer deleteAllContainers() | ||
cmd := exec.Command(dockerBinary, "run", "--security-opt", "label:level:s0:c0,c100", "busybox", "ps", "-eZ") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
out, _, err := runCommandWithOutput(cmd) | ||
if err != nil { | ||
t.Fatal(err, out) | ||
} | ||
id := strings.TrimSpace(out) | ||
if !strings.ContainsAny(id, "s0:c0,c100") { | ||
t.Fatal("security-opt label:level:s0:c0,c100 failed") | ||
} | ||
} | ||
|
||
logDone("run - security-opt label:level") | ||
} | ||
|
||
func TestRunSecurityOptDisable(t *testing.T) { | ||
plabel, _, _ := label.InitLabels(nil) | ||
if plabel != "" { | ||
defer deleteAllContainers() | ||
cmd := exec.Command(dockerBinary, "run", "--security-opt", "label:disable", "busybox", "ps", "-eZ") | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
|
||
out, _, err := runCommandWithOutput(cmd) | ||
if err != nil { | ||
t.Fatal(err, out) | ||
} | ||
id := strings.TrimSpace(out) | ||
if !strings.ContainsAny(id, "svirt") { | ||
t.Fatal("security-opt label:level:disable failed") | ||
} | ||
} | ||
|
||
logDone("run - security-opt label:disable") | ||
} | ||
|
||
func TestRunWithBadDevice(t *testing.T) { | ||
name := "baddevice" | ||
cmd := exec.Command(dockerBinary, "run", "--name", name, "--device", "/etc", "busybox", "true") | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see where this one is filled from
config.SecurityOpt