On 08/04/2014 10:57 PM, Trevor Jay wrote:
On Mon, Aug 04, 2014 at 03:34:11PM -0400, Daniel J Walsh wrote:
>> -v /var/..:/host --net="host"
>>
> That looks good, except you don't have /proc shared.
>
Right. The container can only access /proc and friends if you also use a the
policy/entrypoint hack to allow it to become unconfined_t . Like I said, this is just a
dirty simulation of your future feature.
Well /proc is not only being blocked by
SELinux, but also you are still
entering a different PID namespace. We have a patch working its way
upstream that will allow users to specify alternate SELinux context or
to disable SELinux confinement for the container.
docker run --selinux-opt=disabled rhel7 ...
Or
docker run --selinux-opt=type:mytype_t rhel7 ...
Speaking of that: you mentioned a "set" collection of
namespaces/privileges to choose from at container launch time. How clear are those at this
point? It would be good if we could whip up roughly equivalent types now so that the
cockpit guys could begin seeing what they'd need to adjust.
_Trevor
Not really sure what you mean. What exactly are you expecting, can you
give me an example?