vbatts/cri-o
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add docs about apparmor profile setting

Browse source 
Signed-off-by: Xianglin Gao <xlgao@zju.edu.cn>
This commit is contained in:
Xianglin Gao 2016-11-30 16:36:07 +08:00
parent 26645c90ac
commit 06cc0ba6ba
5 changed files with 14 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cmd/server/config.go
View file

@ -15,7 +15,7 @@ const (
conmonPath = "/usr/libexec/ocid/conmon" conmonPath = "/usr/libexec/ocid/conmon"
pausePath = "/usr/libexec/ocid/pause" pausePath = "/usr/libexec/ocid/pause"
seccompProfilePath = "/etc/ocid/seccomp.json" seccompProfilePath = "/etc/ocid/seccomp.json"
apparmorProfileName = "crio-default" apparmorProfileName = "ocid-default"
) )
var commentedConfigTemplate = template.Must(template.New("config").Parse(` var commentedConfigTemplate = template.Must(template.New("config").Parse(`

2
cmd/server/main.go
View file

@ -140,7 +140,7 @@ func main() {
}, },
cli.StringFlag{ cli.StringFlag{
Name: "apparmor-profile", Name: "apparmor-profile",
Usage: "default apparmor profile name (default: \"crio-default\")", Usage: "default apparmor profile name (default: \"ocid-default\")",
}, },
cli.BoolFlag{ cli.BoolFlag{
Name: "selinux", Name: "selinux",

8
docs/ocid.8.md
View file

@ -20,6 +20,7 @@ ocid - Enable OCI Kubernetes Container Runtime daemon
[**--sandboxdir**=[*value*]] [**--sandboxdir**=[*value*]]
[**--selinux**] [**--selinux**]
[**--seccomp-profile**=[*value*]] [**--seccomp-profile**=[*value*]]
[**--apparmor-profile**=[*value*]]
[**--version**|**-v**] [**--version**|**-v**]
# DESCRIPTION # DESCRIPTION
@ -76,12 +77,15 @@ ocid is meant to provide an integration path between OCI conformant runtimes and
**--sandboxdir**="" **--sandboxdir**=""
OCID pod sandbox dir (default: "/var/lib/ocid/sandboxes") OCID pod sandbox dir (default: "/var/lib/ocid/sandboxes")
**--selinux** **--selinux**=*true*|*false*
Enable selinux support (default: false) Enable selinux support (default: false)
**seccomp_profile** **--seccomp_profile**=""
Path to the seccomp json profile to be used as the runtime's default (default: "/etc/ocid/seccomp.json") Path to the seccomp json profile to be used as the runtime's default (default: "/etc/ocid/seccomp.json")
**--apparmor_profile**=""
Name of the apparmor profile to be used as the runtime's default (default: "ocid-default")
**--version, -v** **--version, -v**
Print the version Print the version

7
docs/ocid.conf.5.md
View file

@ -55,12 +55,15 @@ The `ocid` table supports the following options:
**runtime**="" **runtime**=""
OCI runtime path (default: "/usr/bin/runc") OCI runtime path (default: "/usr/bin/runc")
**selinux** **selinux**=*true*|*false*
Enable selinux support (default: false) Enable selinux support (default: false)
**seccomp_profile** **seccomp_profile**=""
Path to the seccomp json profile to be used as the runtime's default (default: "/etc/ocid/seccomp.json") Path to the seccomp json profile to be used as the runtime's default (default: "/etc/ocid/seccomp.json")
**apparmor_profile**=""
Name of the apparmor profile to be used as the runtime's default (default: "ocid-default")
## OCID.IMAGE TABLE ## OCID.IMAGE TABLE
**pause**="" **pause**=""

2
server/apparmor/apparmor.go
View file

@ -15,7 +15,7 @@ import (
const ( const (
// defaultApparmorProfile is the name of default apparmor profile name. // defaultApparmorProfile is the name of default apparmor profile name.
defaultApparmorProfile = "crio-default" defaultApparmorProfile = "ocid-default"
// profileDirectory is the file store for apparmor profiles and macros. // profileDirectory is the file store for apparmor profiles and macros.
profileDirectory = "/etc/apparmor.d" profileDirectory = "/etc/apparmor.d"