mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Merge pull request #8384 from rhatdan/selinux-opts
Fix security-opt docs
This commit is contained in:
commit
248ec5d74e
2 changed files with 38 additions and 22 deletions
|
@ -343,7 +343,7 @@ to create a secure tunnel for the parent to access.
|
||||||
## Mapping Ports for External Usage
|
## Mapping Ports for External Usage
|
||||||
|
|
||||||
The exposed port of an application can be mapped to a host port using the **-p**
|
The exposed port of an application can be mapped to a host port using the **-p**
|
||||||
flag. For example a httpd port 80 can be mapped to the host port 8080 using the
|
flag. For example, a httpd port 80 can be mapped to the host port 8080 using the
|
||||||
following:
|
following:
|
||||||
|
|
||||||
# docker run -p 8080:80 -d -i -t fedora/httpd
|
# docker run -p 8080:80 -d -i -t fedora/httpd
|
||||||
|
@ -393,26 +393,32 @@ changes will also be reflected on the host in /var/db.
|
||||||
|
|
||||||
## Using alternative security labeling
|
## Using alternative security labeling
|
||||||
|
|
||||||
If you want to use the same label for multiple containers, you can override use
|
You can override the default labeling scheme for each container by specifying
|
||||||
the security-opt flag to select an MCS level. This is a common practice for MLS
|
the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
|
||||||
systems. But it also might help in cases where you want to share the same
|
requirement for MLS systems. Specifying the level in the following command
|
||||||
content between containers. Run the following command.
|
allows you to share the same content between containers.
|
||||||
|
|
||||||
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
|
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
|
||||||
|
|
||||||
Run the follwing command if you want to disable the labeling controls for just
|
An MLS example might be:
|
||||||
this container.
|
|
||||||
|
# docker run --security-opt label:level:TopSecret -i -t rhel7 bash
|
||||||
|
|
||||||
|
To disable the security labeling for this container versus running with the
|
||||||
|
`--permissive` flag, use the following command:
|
||||||
|
|
||||||
# docker run --security-opt label:disable -i -t fedora bash
|
# docker run --security-opt label:disable -i -t fedora bash
|
||||||
|
|
||||||
If you decide you would like to work with a tighter policy on your container.
|
If you want a tighter security policy on the processes within a container,
|
||||||
For example if you want to run a container that could only listen on apache
|
you can specify an alternate type for the container. You could run a container
|
||||||
ports, and not connect to the network. You could select an alternate type to
|
that is only allowed to listen on Apache ports by executing the following
|
||||||
run the container execute the following command.
|
command:
|
||||||
|
|
||||||
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash
|
# docker run --security-opt label:type:svirt_apache_t -i -t centos bash
|
||||||
|
|
||||||
Note: You would have to write policy defining a svirt_apache_t type.
|
Note:
|
||||||
|
|
||||||
|
You would have to write policy defining a `svirt_apache_t` type.
|
||||||
|
|
||||||
# HISTORY
|
# HISTORY
|
||||||
April 2014, Originally compiled by William Henry (whenry at redhat dot com)
|
April 2014, Originally compiled by William Henry (whenry at redhat dot com)
|
||||||
|
|
|
@ -234,22 +234,32 @@ the container exits**, you can add the `--rm` flag:
|
||||||
--secutity-opt="apparmor:PROFILE" : Set the apparmor profile to be applied
|
--secutity-opt="apparmor:PROFILE" : Set the apparmor profile to be applied
|
||||||
to the container
|
to the container
|
||||||
|
|
||||||
If you want to use the same label for multiple containers, you can override use
|
You can override the default labeling scheme for each container by specifying
|
||||||
the security-opt flag to select an MCS level. This is a common practice for MLS
|
the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
|
||||||
systems. But it also might help in cases where you want to share the same
|
requirement for MLS systems. Specifying the level in the following command
|
||||||
content between containers. Run the following command.
|
allows you to share the same content between containers.
|
||||||
|
|
||||||
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
|
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
|
||||||
|
|
||||||
Run the following command if you want to disable the labeling controls for just
|
An MLS example might be:
|
||||||
this container.
|
|
||||||
|
# docker run --security-opt label:level:TopSecret -i -t rhel7 bash
|
||||||
|
|
||||||
|
To disable the security labeling for this container versus running with the
|
||||||
|
`--permissive` flag, use the following command:
|
||||||
|
|
||||||
# docker run --security-opt label:disable -i -t fedora bash
|
# docker run --security-opt label:disable -i -t fedora bash
|
||||||
|
|
||||||
Run the following command if you want to run a container that could only listen
|
If you want a tighter security policy on the processes within a container,
|
||||||
on apache ports.
|
you can specify an alternate type for the container. You could run a container
|
||||||
|
that is only allowed to listen on Apache ports by executing the following
|
||||||
|
command:
|
||||||
|
|
||||||
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash
|
# docker run --security-opt label:type:svirt_apache_t -i -t centos bash
|
||||||
|
|
||||||
|
Note:
|
||||||
|
|
||||||
|
You would have to write policy defining a `svirt_apache_t` type.
|
||||||
|
|
||||||
## Runtime Constraints on CPU and Memory
|
## Runtime Constraints on CPU and Memory
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue