Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docker: policy level choice #57

Closed
vadorovsky opened this issue Sep 21, 2021 · 2 comments · Fixed by #73
Closed

docker: policy level choice #57

vadorovsky opened this issue Sep 21, 2021 · 2 comments · Fixed by #73
Assignees
@mjura
Labels
enhancement New feature or request priority/medium

Comments

@vadorovsky
Copy link
Member

vadorovsky commented Sep 21, 2021
edited
Loading

Currently lockc allows to pick the policy level only for Kubernetes pods (via namespace labels).

We need to provide some way to be able to pick the policy level with Docker as well.

The most reasonable syntax will be probably something like:

docker run --label org.lockc.policy=privileged [image]

One important requirement: only root should be able to set a policy. We will probably have to monitor the docker socket somehow. nah, I created a separate task for that #66
@vadorovsky vadorovsky added enhancement New feature or request priority/medium labels Sep 21, 2021
@mjura mjura self-assigned this Sep 27, 2021
@mjura
Copy link
Collaborator

mjura commented Oct 5, 2021

It seems that setting label on Docker container is only leaving it in container config.json
/var/lib/docker/containers/<CONTAINER_UUID>/config.v2.json
runc and containerd don't know anything about this labels.

@mjura
Copy link
Collaborator

mjura commented Oct 5, 2021

After investigation we agreed that this can be extracted from runc by checking
/run/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/<CONTAINER_UUID>/config.json

@vadorovsky vadorovsky mentioned this issue Oct 6, 2021
Open
mjura added a commit to mjura/lockc that referenced this issue Oct 11, 2021
@mjura
Add support for Docker
40e60a7 
Adding support for Docker containers and enforce lockc profiles.
Example usage can be:

docker run --label org.lockc.policy=privileged [image]

Fixes: lockc-project#57

Signed-off-by: Michal Jura <[email protected]>
@vadorovsky vadorovsky mentioned this issue Oct 11, 2021
Merged
mjura added a commit to mjura/lockc that referenced this issue Oct 11, 2021
@mjura
Add support for Docker
8728958 
Adding support for Docker containers and enforce lockc profiles.
Example usage can be:

docker run --label org.lockc.policy=privileged [image]

Fixes: lockc-project#57

Signed-off-by: Michal Jura <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mjura mjura

Labels
enhancement New feature or request priority/medium
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for Docker mjura/lockc
2 participants
@mjura @vadorovsky