Browse code
Fix security-opt docs
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Dan Walsh authored on 2014/10/04 00:43:22Showing 2 changed files
| ... | ... |
@@ -343,7 +343,7 @@ to create a secure tunnel for the parent to access. |
| 343 | 343 |
## Mapping Ports for External Usage |
| 344 | 344 |
|
| 345 | 345 |
The exposed port of an application can be mapped to a host port using the **-p** |
| 346 |
-flag. For example a httpd port 80 can be mapped to the host port 8080 using the |
|
| 346 |
+flag. For example, a httpd port 80 can be mapped to the host port 8080 using the |
|
| 347 | 347 |
following: |
| 348 | 348 |
|
| 349 | 349 |
# docker run -p 8080:80 -d -i -t fedora/httpd |
| ... | ... |
@@ -393,26 +393,32 @@ changes will also be reflected on the host in /var/db. |
| 393 | 393 |
|
| 394 | 394 |
## Using alternative security labeling |
| 395 | 395 |
|
| 396 |
-If you want to use the same label for multiple containers, you can override use |
|
| 397 |
-the security-opt flag to select an MCS level. This is a common practice for MLS |
|
| 398 |
-systems. But it also might help in cases where you want to share the same |
|
| 399 |
-content between containers. Run the following command. |
|
| 396 |
+You can override the default labeling scheme for each container by specifying |
|
| 397 |
+the `--security-opt` flag. For example, you can specify the MCS/MLS level, a |
|
| 398 |
+requirement for MLS systems. Specifying the level in the following command |
|
| 399 |
+allows you to share the same content between containers. |
|
| 400 | 400 |
|
| 401 | 401 |
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash |
| 402 | 402 |
|
| 403 |
-Run the follwing command if you want to disable the labeling controls for just |
|
| 404 |
-this container. |
|
| 403 |
+An MLS example might be: |
|
| 404 |
+ |
|
| 405 |
+ # docker run --security-opt label:level:TopSecret -i -t rhel7 bash |
|
| 406 |
+ |
|
| 407 |
+To disable the security labeling for this container versus running with the |
|
| 408 |
+`--permissive` flag, use the following command: |
|
| 405 | 409 |
|
| 406 | 410 |
# docker run --security-opt label:disable -i -t fedora bash |
| 407 | 411 |
|
| 408 |
-If you decide you would like to work with a tighter policy on your container. |
|
| 409 |
-For example if you want to run a container that could only listen on apache |
|
| 410 |
-ports, and not connect to the network. You could select an alternate type to |
|
| 411 |
-run the container execute the following command. |
|
| 412 |
+If you want a tighter security policy on the processes within a container, |
|
| 413 |
+you can specify an alternate type for the container. You could run a container |
|
| 414 |
+that is only allowed to listen on Apache ports by executing the following |
|
| 415 |
+command: |
|
| 416 |
+ |
|
| 417 |
+ # docker run --security-opt label:type:svirt_apache_t -i -t centos bash |
|
| 412 | 418 |
|
| 413 |
- # docker run --security-opt label:type:svirt_apache_t -i -t fedora bash |
|
| 419 |
+Note: |
|
| 414 | 420 |
|
| 415 |
-Note: You would have to write policy defining a svirt_apache_t type. |
|
| 421 |
+You would have to write policy defining a `svirt_apache_t` type. |
|
| 416 | 422 |
|
| 417 | 423 |
# HISTORY |
| 418 | 424 |
April 2014, Originally compiled by William Henry (whenry at redhat dot com) |
| ... | ... |
@@ -234,22 +234,32 @@ the container exits**, you can add the `--rm` flag: |
| 234 | 234 |
--secutity-opt="apparmor:PROFILE" : Set the apparmor profile to be applied |
| 235 | 235 |
to the container |
| 236 | 236 |
|
| 237 |
-If you want to use the same label for multiple containers, you can override use |
|
| 238 |
-the security-opt flag to select an MCS level. This is a common practice for MLS |
|
| 239 |
-systems. But it also might help in cases where you want to share the same |
|
| 240 |
-content between containers. Run the following command. |
|
| 237 |
+You can override the default labeling scheme for each container by specifying |
|
| 238 |
+the `--security-opt` flag. For example, you can specify the MCS/MLS level, a |
|
| 239 |
+requirement for MLS systems. Specifying the level in the following command |
|
| 240 |
+allows you to share the same content between containers. |
|
| 241 | 241 |
|
| 242 | 242 |
# docker run --security-opt label:level:s0:c100,c200 -i -t fedora bash |
| 243 | 243 |
|
| 244 |
-Run the following command if you want to disable the labeling controls for just |
|
| 245 |
-this container. |
|
| 244 |
+An MLS example might be: |
|
| 245 |
+ |
|
| 246 |
+ # docker run --security-opt label:level:TopSecret -i -t rhel7 bash |
|
| 247 |
+ |
|
| 248 |
+To disable the security labeling for this container versus running with the |
|
| 249 |
+`--permissive` flag, use the following command: |
|
| 246 | 250 |
|
| 247 | 251 |
# docker run --security-opt label:disable -i -t fedora bash |
| 248 | 252 |
|
| 249 |
-Run the following command if you want to run a container that could only listen |
|
| 250 |
-on apache ports. |
|
| 253 |
+If you want a tighter security policy on the processes within a container, |
|
| 254 |
+you can specify an alternate type for the container. You could run a container |
|
| 255 |
+that is only allowed to listen on Apache ports by executing the following |
|
| 256 |
+command: |
|
| 257 |
+ |
|
| 258 |
+ # docker run --security-opt label:type:svirt_apache_t -i -t centos bash |
|
| 259 |
+ |
|
| 260 |
+Note: |
|
| 251 | 261 |
|
| 252 |
- # docker run --security-opt label:type:svirt_apache_t -i -t fedora bash |
|
| 262 |
+You would have to write policy defining a `svirt_apache_t` type. |
|
| 253 | 263 |
|
| 254 | 264 |
## Runtime Constraints on CPU and Memory |
| 255 | 265 |
|