Added --selinux-enable switch to daemon to enable SELinux labeling.
The daemon will now generate a new unique random SELinux label when a
container starts, and remove it when the container is removed. The MCS
labels will be stored in the daemon memory. The labels of containers will
be stored in the container.json file.
When the daemon restarts on boot or if done by an admin, it will read all containers json files and reserve the MCS labels.
A potential problem would be conflicts if you setup thousands of containers,
current scheme would handle ~500,000 containers.
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: rhatdan)
Docker-DCO-1.1-Signed-off-by: Dan Walsh <dwalsh@redhat.com> (github: crosbymichael)
This has every container using the docker daemon's pid for the processes
label so it does not work correctly.
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This allows multiple instances of the backend in different containers
to access devices (although generally only one can modify/create them).
Any old metadata is converted on the first run.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
Instead of globally keeping track of the free device ids we just
start from 0 each run and handle EEXIST error and try the next one.
This way we don't need any global state for the device ids, which
means we can read device metadata lazily. This is important for
multi-process use of the backend.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
This moves the EBUSY detection to devmapper.go, and then returns
a real ErrBusy that deviceset uses.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
This will allow for these to be set independently. Keep the current Docker behavior where Memory and MemoryReservation are set to the value of Memory.
Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
container.Kill() might read a pid of 0 from
container.State.Pid due to losing a race with
container.monitor() calling
container.State.SetStopped(). Sending a SIGKILL to
pid 0 is undesirable as "If pid equals 0, then sig
is sent to every process in the process group of
the calling process."
Docker-DCO-1.1-Signed-off-by: Daniel Norberg <daniel.norberg@gmail.com> (github: danielnorberg)
We used to mount in Create() to be able to create a few files that
needs to be in each device. However, this mount is problematic for
selinux, as we need to set the mount label at mount-time, and it
is not known at the time of Create().
This change just moves the file creation to first Get() call and
drops the mount from Create(). Additionally, this lets us remove
some complexities we had to avoid an extra unmount+mount cycle.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
container.Register() checks both IsRunning() and IsGhost(), but at
this point IsGhost() is always true if IsRunning() is true. For a
newly created container both are false, and for a restored-from-disk
container Daemon.load() sets Ghost to true if IsRunning is true. So we
just drop the IsGhost check.
This was the last call to IsGhost, so we remove It and all other
traces of the ghost state.
Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson)
