kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity

Modify volume mounts SELinux labels on the fly based on :Z or :z

Browse source 
This patch is extending the qualifiers on the -v command to allow
an admin to tell the system to relabel, content. There might be a
need for something similar for changing the DAC Permissions.

Signed-off-by: Jessica Frazelle <princess@docker.com>
This commit is contained in:
Dan Walsh 2015-05-11 18:28:36 -04:00 committed by Jessica Frazelle
parent 7b57fae046
commit 160dc79db0
3 changed files with 37 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
docs/man/docker-run.1.md
View file

@ -396,6 +396,21 @@ used in other containers using the **--volumes-from** option.
read-only or read-write mode, respectively. By default, the volumes are mounted read-only or read-write mode, respectively. By default, the volumes are mounted
read-write. See examples. read-write. See examples.
Labeling systems like SELinux require proper labels be placed on volume content
mounted into a container, otherwise the secuirty system might prevent the
processes running inside the container from using the content. By default,
volumes are not relabeled.
Two suffixes :z or :Z can be added to the volume mount. These suffixes tell
Docker to relabel file objects on the shared volumes. The 'z' option tells
Docker that the volume content will be shared between containers. Docker will
label the content with a shared content label. Shared volumes labels allow all
containers to read/write content. The 'Z' option tells Docker to label the
content with a private unshared label. Private volumes can only be used by the
current container.
Note: Multiple Volume options can be added separated by a ","
**--volumes-from**=[] **--volumes-from**=[]
Mount volumes from the specified container(s) Mount volumes from the specified container(s)

15
docs/sources/reference/commandline/cli.md
View file

@ -2181,6 +2181,19 @@ mount the volumes in read-only or read-write mode, respectively. By default,
the volumes are mounted in the same mode (read write or read only) as the volumes are mounted in the same mode (read write or read only) as
the reference container. the reference container.
Labeling systems like SELinux require proper labels be placed on volume content
mounted into a container, otherwise the security system might prevent the
processes running inside the container from using the content. By default,
volumes are not relabeled.
Two suffixes :z or :Z can be added to the volume mount. These suffixes tell
Docker to relabel file objects on the shared volumes. The 'z' option tells
Docker that the volume content will be shared between containers. Docker will
label the content with a shared content label. Shared volumes labels allow all
containers to read/write content. The 'Z' option tells Docker to label the
content with a private unshared label. Private volumes can only be used by the
current container.
The `-a` flag tells `docker run` to bind to the container's `STDIN`, `STDOUT` or The `-a` flag tells `docker run` to bind to the container's `STDIN`, `STDOUT` or
`STDERR`. This makes it possible to manipulate the output and input as needed. `STDERR`. This makes it possible to manipulate the output and input as needed.
@ -2222,7 +2235,7 @@ flag:
$ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc $ docker run --device=/dev/sda:/dev/xvdc --rm -it ubuntu fdisk /dev/xvdc
Command (m for help): q Command (m for help): q
$ docker run --device=/dev/sda:/dev/xvdc:r --rm -it ubuntu fdisk /dev/xvdc $ docker run --device=/dev/sda:/dev/xvdc:ro --rm -it ubuntu fdisk /dev/xvdc
You will not be able to write the partition table. You will not be able to write the partition table.
Command (m for help): q Command (m for help): q

8
runconfig/config_test.go
View file

@ -114,6 +114,14 @@ func TestParseRunVolumes(t *testing.T) {
t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:ro -v /hostVar:/containerVar:rw` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds) t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:ro -v /hostVar:/containerVar:rw` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds)
} }
if _, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp:roZ -v /hostVar:/containerVar:rwZ"); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], "/hostTmp:/containerTmp:roZ", "/hostVar:/containerVar:rwZ") != nil {
t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:roZ -v /hostVar:/containerVar:rwZ` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds)
}
if _, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp:Z -v /hostVar:/containerVar:z"); hostConfig.Binds == nil || compareRandomizedStrings(hostConfig.Binds[0], hostConfig.Binds[1], "/hostTmp:/containerTmp:Z", "/hostVar:/containerVar:z") != nil {
t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp:Z -v /hostVar:/containerVar:z` should mount-bind /hostTmp into /containeTmp and /hostVar into /hostContainer. Received %v", hostConfig.Binds)
}
if config, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp -v /containerVar"); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != "/hostTmp:/containerTmp" { if config, hostConfig := mustParse(t, "-v /hostTmp:/containerTmp -v /containerVar"); hostConfig.Binds == nil || len(hostConfig.Binds) > 1 || hostConfig.Binds[0] != "/hostTmp:/containerTmp" {
t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp -v /containerVar` should mount-bind only /hostTmp into /containeTmp. Received %v", hostConfig.Binds) t.Fatalf("Error parsing volume flags, `-v /hostTmp:/containerTmp -v /containerVar` should mount-bind only /hostTmp into /containeTmp. Received %v", hostConfig.Binds)
} else if _, exists := config.Volumes["/containerVar"]; !exists { } else if _, exists := config.Volumes["/containerVar"]; !exists {