9c61688098
We usually specify MCS Labels as comma separated pair. Finally if we run two different containers we want them on different MCS labels. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
82 lines
1.2 KiB
JSON
82 lines
1.2 KiB
JSON
{
|
|
"metadata": {
|
|
"name": "container1",
|
|
"attempt": 1
|
|
},
|
|
"image": {
|
|
"image": "docker://redis:latest"
|
|
},
|
|
"command": [
|
|
"/bin/bash"
|
|
],
|
|
"args": [
|
|
"/bin/ls"
|
|
],
|
|
"working_dir": "/",
|
|
"envs": [
|
|
{
|
|
"key": "PATH",
|
|
"value": "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
|
},
|
|
{
|
|
"key": "TERM",
|
|
"value": "xterm"
|
|
},
|
|
{
|
|
"key": "TESTDIR",
|
|
"value": "test/dir1"
|
|
},
|
|
{
|
|
"key": "TESTFILE",
|
|
"value": "test/file1"
|
|
}
|
|
],
|
|
"labels": {
|
|
"type": "small",
|
|
"batch": "no"
|
|
},
|
|
"annotations": {
|
|
"owner": "dragon",
|
|
"daemon": "ocid"
|
|
},
|
|
"privileged": true,
|
|
"readonly_rootfs": true,
|
|
"log_path": "container.log",
|
|
"stdin": false,
|
|
"stdin_once": false,
|
|
"tty": false,
|
|
"linux": {
|
|
"resources": {
|
|
"cpu_period": 10000,
|
|
"cpu_quota": 20000,
|
|
"cpu_shares": 512,
|
|
"memory_limit_in_bytes": 88000000,
|
|
"oom_score_adj": 30
|
|
},
|
|
"capabilities": {
|
|
"add_capabilities": [
|
|
"setuid",
|
|
"setgid"
|
|
],
|
|
"drop_capabilities": [
|
|
"audit_write",
|
|
"audit_read"
|
|
]
|
|
},
|
|
"selinux_options": {
|
|
"user": "system_u",
|
|
"role": "system_r",
|
|
"type": "container_t",
|
|
"level": "s0:c4,c5"
|
|
},
|
|
"user": {
|
|
"uid": 5,
|
|
"gid": 300,
|
|
"additional_gids": [
|
|
400,
|
|
401,
|
|
402
|
|
]
|
|
}
|
|
}
|
|
}
|