summaryrefslogtreecommitdiff
path: root/hack/dind
diff options
context:
space:
mode:
authorValentin Rothberg <vrothberg@suse.com>2018-07-09 08:50:52 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-07-11 16:36:24 +0000
commit06ab343bd7c113fe761631142dde4829e8aa4d40 (patch)
tree0f38b5dd752683d59f9cfe335b748bf759a76a9c /hack/dind
parent84cfdb20617ac7a5a1138375599e28cdad26b824 (diff)
downloadpodman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.gz
podman-06ab343bd7c113fe761631142dde4829e8aa4d40.tar.bz2
podman-06ab343bd7c113fe761631142dde4829e8aa4d40.zip
podman/libpod: add default AppArmor profile
Make users of libpod more secure by adding the libpod/apparmor package to load a pre-defined AppArmor profile. Large chunks of libpod/apparmor come from github.com/moby/moby. Also check if a specified AppArmor profile is actually loaded and throw an error if necessary. The default profile is loaded only on Linux builds with the `apparmor` buildtag enabled. Signed-off-by: Valentin Rothberg <vrothberg@suse.com> Closes: #1063 Approved by: rhatdan
Diffstat (limited to 'hack/dind')
-rwxr-xr-xhack/dind33
1 files changed, 33 insertions, 0 deletions
diff --git a/hack/dind b/hack/dind
new file mode 100755
index 000000000..3254f9dbe
--- /dev/null
+++ b/hack/dind
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -e
+
+# DinD: a wrapper script which allows docker to be run inside a docker container.
+# Original version by Jerome Petazzoni <jerome@docker.com>
+# See the blog post: https://blog.docker.com/2013/09/docker-can-now-run-within-docker/
+#
+# This script should be executed inside a docker container in privileged mode
+# ('docker run --privileged', introduced in docker 0.6).
+
+# Usage: dind CMD [ARG...]
+
+# apparmor sucks and Docker needs to know that it's in a container (c) @tianon
+export container=docker
+
+if [ -d /sys/kernel/security ] && ! mountpoint -q /sys/kernel/security; then
+ mount -t securityfs none /sys/kernel/security || {
+ echo >&2 'Could not mount /sys/kernel/security.'
+ echo >&2 'AppArmor detection and --privileged mode might break.'
+ }
+fi
+
+# Mount /tmp (conditionally)
+if ! mountpoint -q /tmp; then
+ mount -t tmpfs none /tmp
+fi
+
+if [ $# -gt 0 ]; then
+ exec "$@"
+fi
+
+echo >&2 'ERROR: No command specified.'
+echo >&2 'You probably want to run hack/make.sh, or maybe a shell?'