1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00

Updating with 1.6.2-cs5 notes

Signed-off-by: Mary Anthony <mary@docker.com>
This commit is contained in:
Mary Anthony 2015-05-20 14:39:00 -07:00
parent c6d9c904af
commit 7554949da6

View file

@ -18,6 +18,70 @@ page_keywords: docker, documentation, about, technology, understanding, enterpri
## Commercialy Supported Docker Engine
### CS Docker Engine 1.6.2-cs5
For customers running Docker Engine on [supported versions of RedHat Enterprise
Linux](https://www.docker.com/enterprise/support/) with [SELinux
enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux
-Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run`
commands will fail because bind mounted volumes or files are not accessible. As
a result, customers with SELinux enabled cannot use these commands in their
environment. By installing Docker Engine 1.6.2-cs5, customers can run with
SELinux enabled and run these commands on their supported operating system.
**Affected Versions**: Docker Engine: 1.6.x-cs1 through 1.6.x-cs4
It is **highly recommended** that all customers running Docker Engine 1.6.x-cs1
through 1.6.x-cs4 update to this release.
#### How to workaround this issue
Customers who do not install this update have two options. The
first option, is to disable SELinux. This is *not recommended* for production
systems where SELinux is required.
The second option is to pass the following parameter in to `docker run`.
--security-opt=label:type:docker_t
This parameter cannot be passed to the `docker build` command.
#### Upgrade notes
If you are running with SELinux enabled, previous Docker Engine releases allowed
you to bind mount additional volumes or files inside the container as follows:
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro
In the 1.6.2-cs5 release, you must ensure additional bind mounts have the correct
SELinux context. As an example, if you want to mount `foobar.txt` as read only
into the container, do the following to create and test your bind mount:
1. Add the `z` option to the bind mount when you specify `docker run`.
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z
2. Exec into your new container.
For example, if your container is `bashful_curie` open a shell on the
container:
$ docker exec -it bashful_curie bash
3. Use the `cat` command to check the permissions on the mounted file.
$ cat /foobar.txt
the contents of foobar appear
If you see the file's contents, your mount succeeded. If you receive a
`Permission denied` message and/or the `/var/log/audit/audit.log` file on your
Docker host contains an AVC Denial message, the mount did not succeed.
type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
Recheck your command line to make sure you passed in the `z` option.
### CS Docker Engine 1.6.2
(13 May 2015)