mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Updating with 1.6.2-cs5 notes
Signed-off-by: Mary Anthony <mary@docker.com>
This commit is contained in:
Mary Anthony
parent
c6d9c904af
commit
7554949da6
1 changed files with 64 additions and 0 deletions
|
|
@ -18,6 +18,70 @@ page_keywords: docker, documentation, about, technology, understanding, enterpri
|
|||
|
||||
## Commercialy Supported Docker Engine
|
||||
|
||||
### CS Docker Engine 1.6.2-cs5
|
||||
|
||||
For customers running Docker Engine on [supported versions of RedHat Enterprise
|
||||
Linux](https://www.docker.com/enterprise/support/) with [SELinux
|
||||
enabled](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/
|
||||
6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux
|
||||
-Enabling_and_Disabling_SELinux.html), the `docker build` and `docker run`
|
||||
commands will fail because bind mounted volumes or files are not accessible. As
|
||||
a result, customers with SELinux enabled cannot use these commands in their
|
||||
environment. By installing Docker Engine 1.6.2-cs5, customers can run with
|
||||
SELinux enabled and run these commands on their supported operating system.
|
||||
|
||||
**Affected Versions**: Docker Engine: 1.6.x-cs1 through 1.6.x-cs4
|
||||
|
||||
It is **highly recommended** that all customers running Docker Engine 1.6.x-cs1
|
||||
through 1.6.x-cs4 update to this release.
|
||||
|
||||
#### How to workaround this issue
|
||||
|
||||
Customers who do not install this update have two options. The
|
||||
first option, is to disable SELinux. This is *not recommended* for production
|
||||
systems where SELinux is required.
|
||||
|
||||
The second option is to pass the following parameter in to `docker run`.
|
||||
|
||||
--security-opt=label:type:docker_t
|
||||
|
||||
This parameter cannot be passed to the `docker build` command.
|
||||
|
||||
#### Upgrade notes
|
||||
|
||||
If you are running with SELinux enabled, previous Docker Engine releases allowed
|
||||
you to bind mount additional volumes or files inside the container as follows:
|
||||
|
||||
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro
|
||||
|
||||
In the 1.6.2-cs5 release, you must ensure additional bind mounts have the correct
|
||||
SELinux context. As an example, if you want to mount `foobar.txt` as read only
|
||||
into the container, do the following to create and test your bind mount:
|
||||
|
||||
1. Add the `z` option to the bind mount when you specify `docker run`.
|
||||
|
||||
$ docker run -it -v /home/user/foo.txt:/foobar.txt:ro,z
|
||||
|
||||
2. Exec into your new container.
|
||||
|
||||
For example, if your container is `bashful_curie` open a shell on the
|
||||
container:
|
||||
|
||||
$ docker exec -it bashful_curie bash
|
||||
|
||||
3. Use the `cat` command to check the permissions on the mounted file.
|
||||
|
||||
$ cat /foobar.txt
|
||||
the contents of foobar appear
|
||||
|
||||
If you see the file's contents, your mount succeeded. If you receive a
|
||||
`Permission denied` message and/or the `/var/log/audit/audit.log` file on your
|
||||
Docker host contains an AVC Denial message, the mount did not succeed.
|
||||
|
||||
type=AVC msg=audit(1432145409.197:7570): avc: denied { read } for pid=21167 comm="cat" name="foobar.txt" dev="xvda2" ino=17704136 scontext=system_u:system_r:svirt_lxc_net_t:s0:c909,c965 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
|
||||
|
||||
Recheck your command line to make sure you passed in the `z` option.
|
||||
|
||||
### CS Docker Engine 1.6.2
|
||||
(13 May 2015)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue