mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Updating with 1.6.2-cs5 notes
Signed-off-by: Mary Anthony <mary@docker.com>
This commit is contained in:
parent
c6d9c904af
commit
7554949da6
1 changed files with 64 additions and 0 deletions
|
@ -18,6 +18,70 @@ page_keywords: docker, documentation, about, technology, understanding, enterpri
|
||||||
|
|
||||||
## Commercialy Supported Docker Engine
|
## Commercialy Supported Docker Engine
|
||||||
|
|
||||||
|
### CS Docker Engine 1.6.2-cs5
|
||||||
|
|
||||||
|
For customers running Docker Engine on [supported versions of RedHat Enterprise
|
||||||
|
Linux](https://www.docker.com/enterprise/support/) with [SELinux
|
||||||
|
enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
|
||||||
|
6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux
|
||||||
|
-Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run`
|
||||||
|
commands will fail because bind mounted volumes or files are not accessible. As
|
||||||
|
a result, customers with SELinux enabled cannot use these commands in their
|
||||||
|
environment. By installing Docker Engine 1.6.2-cs5, customers can run with
|
||||||
|
SELinux enabled and run these commands on their supported operating system.
|
||||||
|
|
||||||
|
**Affected Versions**: Docker Engine: 1.6.x-cs1 through 1.6.x-cs4
|
||||||
|
|
||||||
|
It is **highly recommended** that all customers running Docker Engine 1.6.x-cs1
|
||||||
|
through 1.6.x-cs4 update to this release.
|
||||||
|
|
||||||
|
#### How to workaround this issue
|
||||||
|
|
||||||
|
Customers who do not install this update have two options. The
|
||||||
|
first option, is to disable SELinux. This is *not recommended* for production
|
||||||
|
systems where SELinux is required.
|
||||||
|
|
||||||
|
The second option is to pass the following parameter in to `docker run`.
|
||||||
|
|
||||||
|
--security-opt=label:type:docker_t
|
||||||
|
|
||||||
|
This parameter cannot be passed to the `docker build` command.
|
||||||
|
|
||||||
|
#### Upgrade notes
|
||||||
|
|
||||||
|
If you are running with SELinux enabled, previous Docker Engine releases allowed
|
||||||
|
you to bind mount additional volumes or files inside the container as follows:
|
||||||
|
|
||||||
|
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro
|
||||||
|
|
||||||
|
In the 1.6.2-cs5 release, you must ensure additional bind mounts have the correct
|
||||||
|
SELinux context. As an example, if you want to mount `foobar.txt` as read only
|
||||||
|
into the container, do the following to create and test your bind mount:
|
||||||
|
|
||||||
|
1. Add the `z` option to the bind mount when you specify `docker run`.
|
||||||
|
|
||||||
|
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z
|
||||||
|
|
||||||
|
2. Exec into your new container.
|
||||||
|
|
||||||
|
For example, if your container is `bashful_curie` open a shell on the
|
||||||
|
container:
|
||||||
|
|
||||||
|
$ docker exec -it bashful_curie bash
|
||||||
|
|
||||||
|
3. Use the `cat` command to check the permissions on the mounted file.
|
||||||
|
|
||||||
|
$ cat /foobar.txt
|
||||||
|
the contents of foobar appear
|
||||||
|
|
||||||
|
If you see the file's contents, your mount succeeded. If you receive a
|
||||||
|
`Permission denied` message and/or the `/var/log/audit/audit.log` file on your
|
||||||
|
Docker host contains an AVC Denial message, the mount did not succeed.
|
||||||
|
|
||||||
|
type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
|
||||||
|
|
||||||
|
Recheck your command line to make sure you passed in the `z` option.
|
||||||
|
|
||||||
### CS Docker Engine 1.6.2
|
### CS Docker Engine 1.6.2
|
||||||
(13 May 2015)
|
(13 May 2015)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue