Merge pull request #1285 from hashicorp/fix-selinux-options

Added a client options for setting selinux options
2016-06-16 22:45:24 +02:00 · 2016-06-16 22:45:24 +02:00 · ed67f1a347
parent 0de6735c22 266c417ac8
commit ed67f1a347
3 changed files with 15 additions and 5 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -29,7 +29,9 @@ IMPROVEMENTS:
    using the `nomad` service in Consul. Nomad servers now register
    themselves with Consul if Consul is available. [GH-1201]
  * drivers: Qemu and Java can be run without an artifact being download. Useful
-    if the artifact exists inside a chrooted directory {GH-1262]
+    if the artifact exists inside a chrooted directory [GH-1262]
+  * driver/docker: Added a client options to set SELinux labels for container
+    bind mounts. [GH-788]

 BUG FIXES:
  * core: Improve garbage collection of allocations and nodes [GH-1256]
--- a/client/driver/docker.go
+++ b/client/driver/docker.go
@ -316,11 +316,16 @@ func (d *DockerDriver) containerBinds(alloc *allocdir.AllocDir, task *structs.Ta
 		return nil, fmt.Errorf("Failed to find task local directory: %v", task.Name)
 	}

+	allocDirBind := fmt.Sprintf("%s:/%s", shared, allocdir.SharedAllocName)
+	taskLocalBind := fmt.Sprintf("%s:/%s", local, allocdir.TaskLocal)
+
+	if selinuxLabel := d.config.Read("docker.volumes.selinuxlabel"); selinuxLabel != "" {
+		allocDirBind = fmt.Sprintf("%s:%s", allocDirBind, selinuxLabel)
+		taskLocalBind = fmt.Sprintf("%s:%s", taskLocalBind, selinuxLabel)
+	}
 	return []string{
-		// "z" and "Z" option is to allocate directory with SELinux label.
-		fmt.Sprintf("%s:/%s:rw,z", shared, allocdir.SharedAllocName),
-		// capital "Z" will label with Multi-Category Security (MCS) labels
-		fmt.Sprintf("%s:/%s:rw,Z", local, allocdir.TaskLocal),
+		allocDirBind,
+		taskLocalBind,
 	}, nil
 }

--- a/website/source/docs/drivers/docker.html.md
+++ b/website/source/docs/drivers/docker.html.md
@ -294,6 +294,9 @@ options](/docs/agent/config.html#options):
 * `docker.cleanup.image` Defaults to `true`. Changing this to `false` will
  prevent Nomad from removing images from stopped tasks.

+* `docker.volumes.selinuxlabel`: Allows the operator to set a SELinux
+  label to the allocation and task local bind-mounts to containers.
+
 * `docker.privileged.enabled` Defaults to `false`. Changing this to `true` will
  allow containers to use `privileged` mode, which gives the containers full
  access to the host's devices. Note that you must set a similar setting on the