From d0a8e73e7b60f61db0c3799643aaccbbf33f3601 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 6 Jul 2017 18:59:29 -0700 Subject: [PATCH] Service privileges: API docs This documents the Service privileges API changes, that were added in: 091b5e68ea735bf4e8ece708bbc8c413a32eab73 Signed-off-by: Sebastiaan van Stijn --- api/swagger.yaml | 51 +++++++++++++++++++++++++++++++++++++ docs/api/version-history.md | 2 ++ 2 files changed, 53 insertions(+) diff --git a/api/swagger.yaml b/api/swagger.yaml index 7e451167e8..253884db2e 100644 --- a/api/swagger.yaml +++ b/api/swagger.yaml @@ -2043,6 +2043,57 @@ definitions: description: "A list of additional groups that the container process will run as." items: type: "string" + Privileges: + type: "object" + description: "Security options for the container" + properties: + CredentialSpec: + type: "object" + description: "CredentialSpec for managed service account (Windows only)" + properties: + File: + type: "string" + description: | + Load credential spec from this file. The file is read by the daemon, and must be present in the + `CredentialSpecs` subdirectory in the docker data directory, which defaults to + `C:\ProgramData\Docker\` on Windows. + + For example, specifying `spec.json` loads `C:\ProgramData\Docker\CredentialSpecs\spec.json`. + +


+ + > **Note**: `CredentialSpec.File` and `CredentialSpec.Registry` are mutually exclusive. + Registry: + type: "string" + description: | + Load credential spec from this value in the Windows registry. The specified registry value must be + located in: + + `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Containers\CredentialSpecs` + +


+ + + > **Note**: `CredentialSpec.File` and `CredentialSpec.Registry` are mutually exclusive. + SELinuxContext: + type: "object" + description: "SELinux labels of the container" + properties: + Disable: + type: "boolean" + description: "Disable SELinux" + User: + type: "string" + description: "SELinux user label" + Role: + type: "string" + description: "SELinux role label" + Type: + type: "string" + description: "SELinux type label" + Level: + type: "string" + description: "SELinux level label" TTY: description: "Whether a pseudo-TTY should be allocated." type: "boolean" diff --git a/docs/api/version-history.md b/docs/api/version-history.md index 0f33ffecbb..b65931d5d0 100644 --- a/docs/api/version-history.md +++ b/docs/api/version-history.md @@ -62,6 +62,8 @@ keywords: "API, Docker, rcli, REST, documentation" * `POST /containers/create`, `POST /service/create` and `POST /services/(id or name)/update` now takes the field `StartPeriod` as a part of the `HealthConfig` allowing for specification of a period during which the container should not be considered unhealthy even if health checks do not pass. * `GET /services/(id)` now accepts an `insertDefaults` query-parameter to merge default values into the service inspect output. * `POST /containers/prune`, `POST /images/prune`, `POST /volumes/prune`, and `POST /networks/prune` now support a `label` filter to filter containers, images, volumes, or networks based on the label. The format of the label filter could be `label=`/`label==` to remove those with the specified labels, or `label!=`/`label!==` to remove those without the specified labels. +* `POST /services/create` now accepts `Privileges` as part of `ContainerSpec`. Privileges currently include + `CredentialSpec` and `SELinuxContext`. ## v1.28 API changes