Turn on Security opts including labeling for docker build #10186
Conversation
|
Seems like we can just pass an empty HostConfig struct to daemon.Create instead of storing it in the builder. |
|
@cpuguy83 Does it matter, I would have to add import runconfig to internals.go. Is there something "stored" when I do a docker build? |
|
I feel the need for .... mmm, an selinux and docker colouring book. |
|
LGTM |
|
@SvenDowideit I have been thinking about creating a "Container" colouring book... |
|
@rhatdan You're right, my only concern is people later coming and adding to b.HostConfig when it's not necessary, and instead handle this in daemon.Create: if hostConfig == nil {
hostConifg = &runconfig.HostConfig{}
} |
22b5b93 to
0149618
Compare
|
So you want something like this patch? @cpuguy83 |
|
@rhatdan That's my thought, yes. |
|
We shall see what @crosbymichael |
|
Yeah, I was looking at the history of the API side of that. It would be older clients that would have a nil hostConfig, but I'm not sure that having a nil one would matter. Especially since it would get a hostConfig (even if empty) when it starts anyway. |
|
@rhatdan ❤️ |
0149618 to
ce70ae7
Compare
Currently docker build is not passing HostConfig to daemon.Create. this patch creates the default HostConfig and passes it to daemon.Create. This will cause the SELinux labeling to turn on for docker build. Basically it causes a SecurtyOpt field to be created. In the future this might also allow us to use seccomp and UserNamespace with docker build. Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
ce70ae7 to
8a8dcf1
Compare
|
LGTM |
1 similar comment
|
LGTM |
Turn on Security opts including labeling for docker build
Currently docker build is not passing HostConfig to daemon.Create.
this patch creates the default HostConfig and passes it to daemon.Create.
This will cause the SELinux labeling to turn on for docker build. Basically
it causes a SecurtyOpt field to be created. In the future this might also
allow us to use seccomp and UserNamespace with docker build.
Docker-DCO-1.1-Signed-off-by: Dan Walsh dwalsh@redhat.com (github: rhatdan)