Occasionally the selinux_test program will fail because we are setting file
context based on the Process ID but not the TID. THis change will always
use the TID to set SELinux labels.
Docker-DCO-1.1-Signed-off-by: Daniel Walsh <dwalsh@redhat.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: crosbymichael)
Added --selinux-enable switch to daemon to enable SELinux labeling.
The daemon will now generate a new unique random SELinux label when a
container starts, and remove it when the container is removed. The MCS
labels will be stored in the daemon memory. The labels of containers will
be stored in the container.json file.
When the daemon restarts on boot or if done by an admin, it will read all containers json files and reserve the MCS labels.
A potential problem would be conflicts if you setup thousands of containers,
current scheme would handle ~500,000 containers.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: crosbymichael)
This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Creating the "docker save" tarball for "scratch" is pretty simple. I've also extrapolated the "docker build -t busybox ." logic into a separate "hack/make/.ensure-busybox" file so that it can eventually be reused easier.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
It was a nice idea to recruit more maintainers but we never found the
time to do it properly...
I am still interested in any ideas to make it easier to start
contributing!
Docker-DCO-1.1-Signed-off-by: Solomon Hykes <solomon@docker.com> (github: shykes)
I tested to verify that if neither package is available (for example, on Debian Wheezy), apt still continues installing properly.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
These are unnecessary since the user package handles these cases properly already (as evidenced by the LXC backend not having these special cases).
I also updated the errors returned to match the other libcontainer error messages in this same file.
Also, switching from Setresuid to Setuid directly isn't a problem, because the "setuid" system call will automatically do that if our own effective UID is root currently: (from `man 2 setuid`)
setuid() sets the effective user ID of the calling process. If the
effective UID of the caller is root, the real UID and saved set-user-
ID are also set.
Docker-DCO-1.1-Signed-off-by: Andrew Page <admwiggin@gmail.com> (github: tianon)
This adds back in the references to private repositories and
provides some refactoring to the Working with repositories
documentation including updating references to the "Central"
registry to Docker.io.
It also:
* Fixes some links and references to Central Index
* Fixes anchors in other files to updated titles in Working with Repositories.
* Renamed Central Index in the remaining places.
* Updated terms documentation to reflect Docker.io
* Updated some Docker Index naming to be consistent.
* Updates menu labels and hyperlinks.
Docker-DCO-1.1-Signed-off-by: James Turnbull <james@lovedthanlost.net> (github: jamtur01)
Docker-DCO-1.1-Signed-off-by: O.S. Tezer <ostezer@gmail.com> (github: ostezer)
Correct documentation for POST /commit to reflect that the container's
configuration is supplied in the request body, and not as a query
parameter.
Also correct a small typo in the example JSON for create container.
Docker-DCO-1.1-Signed-off-by: Andy Goldstein <agoldste@redhat.com> (github: ncdc)
Sam Rijs
Victor Vieux
Rohit Jnagal
Michael Crosby
Dan Walsh
O.S. Tezer
Tianon Gravi
Solomon Hykes
Sven Dowideit
James Turnbull
Michael Crosby
Victor Marmol
Brian Goff
Tibor Vass
Andy Goldstein