1716d497a4
This change will allow us to run SELinux in a container with BTRFS back end. We continue to work on fixing the kernel/BTRFS but this change will allow SELinux Security separation on BTRFS. It basically relabels the content on container creation. Just relabling -init directory in BTRFS use case. Everything looks like it works. I don't believe tar/achive stores the SELinux labels, so we are good as far as docker commit. Tested Speed on startup with BTRFS on top of loopback directory. BTRFS not on loopback should get even better perfomance on startup time. The more inodes inside of the container image will increase the relabel time. This patch will give people who care more about security the option of runnin BTRFS with SELinux. Those who don't want to take the slow down can disable SELinux either in individual containers or for all containers by continuing to disable SELinux in the daemon. Without relabel: > time docker run --security-opt label:disable fedora echo test test real 0m0.918s user 0m0.009s sys 0m0.026s With Relabel test real 0m1.942s user 0m0.007s sys 0m0.030s Signed-off-by: Dan Walsh <dwalsh@redhat.com> Signed-off-by: Dan Walsh <dwalsh@redhat.com> |
||
|---|---|---|
| .. | ||
| docker-attach.1.md | ||
| docker-build.1.md | ||
| docker-commit.1.md | ||
| docker-cp.1.md | ||
| docker-create.1.md | ||
| docker-daemon.8.md | ||
| docker-diff.1.md | ||
| docker-events.1.md | ||
| docker-exec.1.md | ||
| docker-export.1.md | ||
| docker-history.1.md | ||
| docker-images.1.md | ||
| docker-import.1.md | ||
| docker-info.1.md | ||
| docker-inspect.1.md | ||
| docker-kill.1.md | ||
| docker-load.1.md | ||
| docker-login.1.md | ||
| docker-logout.1.md | ||
| docker-logs.1.md | ||
| docker-network-connect.1.md | ||
| docker-network-create.1.md | ||
| docker-network-disconnect.1.md | ||
| docker-network-inspect.1.md | ||
| docker-network-ls.1.md | ||
| docker-network-rm.1.md | ||
| docker-pause.1.md | ||
| docker-port.1.md | ||
| docker-ps.1.md | ||
| docker-pull.1.md | ||
| docker-push.1.md | ||
| docker-rename.1.md | ||
| docker-restart.1.md | ||
| docker-rm.1.md | ||
| docker-rmi.1.md | ||
| docker-run.1.md | ||
| docker-save.1.md | ||
| docker-search.1.md | ||
| docker-start.1.md | ||
| docker-stats.1.md | ||
| docker-stop.1.md | ||
| docker-tag.1.md | ||
| docker-top.1.md | ||
| docker-unpause.1.md | ||
| docker-version.1.md | ||
| docker-volume-create.1.md | ||
| docker-volume-inspect.1.md | ||
| docker-volume-ls.1.md | ||
| docker-volume-rm.1.md | ||
| docker-wait.1.md | ||
| docker.1.md | ||
| Dockerfile | ||
| Dockerfile.5.md | ||
| md2man-all.sh | ||
| README.md | ||
Docker Documentation
This directory contains the Docker user manual in the Markdown format. Do not edit the man pages in the man1 directory. Instead, amend the Markdown (*.md) files.
Generating man pages from the Markdown files
The recommended approach for generating the man pages is via a Docker
container using the supplied Dockerfile to create an image with the correct
environment. This uses go-md2man, a pure Go Markdown to man page generator.
Building the md2man image
There is a Dockerfile provided in the /man directory of your
'docker/docker' fork.
Using this Dockerfile, create a Docker image tagged docker/md2man:
docker build -t docker/md2man .
Utilizing the image
From within the /man directory run the following command:
docker run -v $(pwd):/man -w /man -i docker/md2man ./md2man-all.sh
The md2man Docker container will process the Markdown files and generate
the man pages inside the /man/man1 directory of your fork using
Docker volumes. For more information on Docker volumes see the man page for
docker run and also look at the article [Sharing Directories via Volumes]
(https://docs.docker.com/use/working_with_volumes/).