1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Merge pull request #8384 from rhatdan/selinux-opts

Fix security-opt docs
This commit is contained in:
Sven Dowideit 2014-10-10 10:52:17 +10:00
commit 248ec5d74e
2 changed files with 38 additions and 22 deletions

View file

@ -343,7 +343,7 @@ to create a secure tunnel for the parent to access.
## Mapping Ports for External Usage ## Mapping Ports for External Usage
The exposed port of an application can be mapped to a host port using the **-p** The exposed port of an application can be mapped to a host port using the **-p**
flag. For example a httpd port 80 can be mapped to the host port 8080 using the flag. For example, a httpd port 80 can be mapped to the host port 8080 using the
following: following:
# docker run -p 8080:80 -d -i -t fedora/httpd # docker run -p 8080:80 -d -i -t fedora/httpd
@ -393,26 +393,32 @@ changes will also be reflected on the host in /var/db.
## Using alternative security labeling ## Using alternative security labeling
If you want to use the same label for multiple containers, you can override use You can override the default labeling scheme for each container by specifying
the security-opt flag to select an MCS level. This is a common practice for MLS the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
systems. But it also might help in cases where you want to share the same requirement for MLS systems. Specifying the level in the following command
content between containers. Run the following command. allows you to share the same content between containers.
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
Run the follwing command if you want to disable the labeling controls for just An MLS example might be:
this container.
# docker run --security-opt label:level:TopSecret -i -t rhel7 bash
To disable the security labeling for this container versus running with the
`--permissive` flag, use the following command:
# docker run --security-opt label:disable -i -t fedora bash # docker run --security-opt label:disable -i -t fedora bash
If you decide you would like to work with a tighter policy on your container. If you want a tighter security policy on the processes within a container,
For example if you want to run a container that could only listen on apache you can specify an alternate type for the container. You could run a container
ports, and not connect to the network. You could select an alternate type to that is only allowed to listen on Apache ports by executing the following
run the container execute the following command. command:
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash # docker run --security-opt label:type:svirt_apache_t -i -t centos bash
Note: You would have to write policy defining a svirt_apache_t type. Note:
You would have to write policy defining a `svirt_apache_t` type.
# HISTORY # HISTORY
April 2014, Originally compiled by William Henry (whenry at redhat dot com) April 2014, Originally compiled by William Henry (whenry at redhat dot com)

View file

@ -234,22 +234,32 @@ the container exits**, you can add the `--rm` flag:
--secutity-opt="apparmor:PROFILE" : Set the apparmor profile to be applied --secutity-opt="apparmor:PROFILE" : Set the apparmor profile to be applied
to the container to the container
If you want to use the same label for multiple containers, you can override use You can override the default labeling scheme for each container by specifying
the security-opt flag to select an MCS level. This is a common practice for MLS the `--security-opt` flag. For example, you can specify the MCS/MLS level, a
systems. But it also might help in cases where you want to share the same requirement for MLS systems. Specifying the level in the following command
content between containers. Run the following command. allows you to share the same content between containers.
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash # docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash
Run the following command if you want to disable the labeling controls for just An MLS example might be:
this container.
# docker run --security-opt label:level:TopSecret -i -t rhel7 bash
To disable the security labeling for this container versus running with the
`--permissive` flag, use the following command:
# docker run --security-opt label:disable -i -t fedora bash # docker run --security-opt label:disable -i -t fedora bash
Run the following command if you want to run a container that could only listen If you want a tighter security policy on the processes within a container,
on apache ports. you can specify an alternate type for the container. You could run a container
that is only allowed to listen on Apache ports by executing the following
command:
# docker run --security-opt label:type:svirt_apache_t -i -t fedora bash # docker run --security-opt label:type:svirt_apache_t -i -t centos bash
Note:
You would have to write policy defining a `svirt_apache_t` type.
## Runtime Constraints on CPU and Memory ## Runtime Constraints on CPU and Memory