@@ -14,6 +14,17 @@ NOTE: OpenShift is in alpha and is not intended for production use yet. However

 [![GoDoc](https://godoc.org/github.com/openshift/origin?status.png)](https://godoc.org/github.com/openshift/origin)

 [![Travis](https://travis-ci.org/openshift/origin.svg?branch=master)](https://travis-ci.org/openshift/origin)

+Security Warning

+----------------

+OpenShift no longer requires SElinux to be disabled, however OpenShift is a system which runs Docker containers on your system.  In some cases (build operations and the registry service) it does so using privileged containers.  Furthermore those containers access your host's Docker daemon and perform `docker build` and `docker push` operations.  As such, you should be aware of the inherent security risks associated with performing `docker run` operations on arbitrary images as they effectively have root access.  This is particularly relevant when running the OpenShift nodes directly on your host system.

+

+For more information, see these articles:

+

+* http://opensource.com/business/14/7/docker-security-selinux

+* https://docs.docker.com/articles/security/

+

+The OpenShift security model will continue to evolve and tighten as we head towards production ready code.

+

 Getting Started

 ---------------

 The simplest way to start is to run OpenShift Origin in a Docker container:

@@ -21,13 +21,6 @@ System Environment

         $ systemctl stop firewalld

-1. Disable selinux  

-

-    Eventually this will not be necessary but we are currently focused on features and will be revisiting selinux policies in the future.

-

-        $ setenforce 0

-        

-

 Build Failures

 --------------

@@ -11,6 +11,7 @@ import (

 	kapi "github.com/GoogleCloudPlatform/kubernetes/pkg/api"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/meta"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api/validation"

+	"github.com/GoogleCloudPlatform/kubernetes/pkg/kubelet"

 	"github.com/GoogleCloudPlatform/kubernetes/pkg/runtime"

 	//"github.com/GoogleCloudPlatform/kubernetes/pkg/util"

 	"github.com/golang/glog"

@@ -136,6 +137,9 @@ func walkJSONFiles(inDir string, fn func(name, path string, data []byte)) error

 }

 func TestExampleObjectSchemas(t *testing.T) {

+	// Allow privileged containers

+	// TODO: make this configurable and not the default https://github.com/openshift/origin/issues/662

+	kubelet.SetupCapabilities(true)

 	cases := map[string]map[string]runtime.Object{

 		"../examples/guestbook": {

 			"template": &templateapi.Template{},

@@ -9,6 +9,17 @@ Alternatively, if you are using the openshift/origin Docker container, please

 make sure you follow these instructions first:

 https://github.com/openshift/origin/blob/master/examples/sample-app/container-setup.md

+Security Warning

+----------------

+OpenShift no longer requires SElinux to be disabled, however OpenShift is a system which runs Docker containers on your system.  In some cases (build operations and the registry service) it does so using privileged containers.  Furthermore those containers access your host's Docker daemon and perform `docker build` and `docker push` operations.  As such, you should be aware of the inherent security risks associated with performing `docker run` operations on arbitrary images as they effectively have root access.  This is particularly relevant when running the OpenShift nodes directly on your host system.

+

+For more information, see these articles:

+

+* http://opensource.com/business/14/7/docker-security-selinux

+* https://docs.docker.com/articles/security/

+

+The OpenShift security model will continue to evolve and tighten as we head towards production ready code.

+

 Setup

 -----

 At this stage of OpenShift 3 development, there are a few things that you will need to configure on the host where OpenShift is running in order for things to work.

@@ -33,16 +44,6 @@ This will instruct the docker daemon to trust any docker registry on the 172.30.

 These instructions assume you have not changed the kubernetes/openshift service subnet configuration from the default value of 172.30.17.0/24.

-### SELinux Changes ###

-

-Presently the OpenShift 3 policies for SELinux are a work in progress. For the time being, to play around with the OpenShift system, it is easiest to temporarily disable SELinux:

-

-    $ sudo setenforce 0

-

-This can be re-enabled after you are done with the sample app:

-

-    $ sudo setenforce 1

-

 ### FirewallD Changes ###

 Similar to our work on SELinux policies, the OpenShift firewalld rules are also a work in progress. For now it is easiest to disable firewalld altogether:

@@ -65,7 +65,8 @@

                         "readOnly":false

                       }

                     ],

-                    "command": ["sh", "-c", "REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=http://${KUBERNETES_SERVICE_HOST}:443/osapi/v1beta1 exec docker-registry"]

+                    "command": ["sh", "-c", "REGISTRY_URL=${DOCKER_REGISTRY_SERVICE_HOST}:${DOCKER_REGISTRY_SERVICE_PORT} OPENSHIFT_URL=http://${KUBERNETES_SERVICE_HOST}:443/osapi/v1beta1 exec docker-registry"],

+		    privileged: true

                   }

                 ],

                 "version":"v1beta1",

@@ -51,6 +51,8 @@ func (bs *CustomBuildStrategy) CreateBuildPod(build *buildapi.Build) (*kapi.Pod,

 					Name:  "custom-build",

 					Image: strategy.Image,

 					Env:   containerEnv,

+					// TODO: run unprivileged https://github.com/openshift/origin/issues/662

+					Privileged: true,

 				},

 			},

 			RestartPolicy: kapi.RestartPolicy{

@@ -34,6 +34,8 @@ func (bs *DockerBuildStrategy) CreateBuildPod(build *buildapi.Build) (*kapi.Pod,

 					Env: []kapi.EnvVar{

 						{Name: "BUILD", Value: string(buildJSON)},

 					},

+					// TODO: run unprivileged https://github.com/openshift/origin/issues/662

+					Privileged: true,

 				},

 			},

 			RestartPolicy: kapi.RestartPolicy{

@@ -47,6 +47,8 @@ func (bs *STIBuildStrategy) CreateBuildPod(build *buildapi.Build) (*kapi.Pod, er

 					Env: []kapi.EnvVar{

 						{Name: "BUILD", Value: string(buildJSON)},

 					},

+					// TODO: run unprivileged https://github.com/openshift/origin/issues/662

+					Privileged: true,

 				},

 			},

 			RestartPolicy: kapi.RestartPolicy{

@@ -81,6 +81,9 @@ func (c *NodeConfig) EnsureVolumeDir() {

 // RunKubelet starts the Kubelet.

 func (c *NodeConfig) RunKubelet() {

 	// initialize Kubelet

+	// Allow privileged containers

+	// TODO: make this configurable and not the default https://github.com/openshift/origin/issues/662

+	kubelet.SetupCapabilities(true)

 	cfg := kconfig.NewPodConfig(kconfig.PodConfigNotificationSnapshotAndUpdates)

 	kconfig.NewSourceEtcd(kconfig.EtcdKeyForHost(c.NodeHost), c.EtcdClient, cfg.Channel("etcd"))

 	k := kubelet.NewMainKubelet(