On 08/04/2014 10:57 PM, Trevor Jay wrote:
On Mon, Aug 04, 2014 at 03:34:11PM -0400, Daniel J Walsh wrote:
-v /var/..:/host --net="host"
That looks good, except you don't have /proc shared.
Right. The container can only access /proc and friends if you also use a the policy/entrypoint hack to allow it to become unconfined_t . Like I said, this is just a dirty simulation of your future feature.
Well /proc is not only being blocked by SELinux, but also you are still entering a different PID namespace. We have a patch working its way upstream that will allow users to specify alternate SELinux context or to disable SELinux confinement for the container.
docker run --selinux-opt=disabled rhel7 ...
Or
docker run --selinux-opt=type:mytype_t rhel7 ...
Speaking of that: you mentioned a "set" collection of namespaces/privileges to choose from at container launch time. How clear are those at this point? It would be good if we could whip up roughly equivalent types now so that the cockpit guys could begin seeing what they'd need to adjust.
_Trevor
Not really sure what you mean. What exactly are you expecting, can you give me an example?