subject:"Re\: container\/container\-medium\-19.ks container\/container\-medium\-20.ks container\/container\-minimal\-19.ks container\/container\-minimal\-20.ks"

Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks

2013-09-19 Thread Daniel J Walsh

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2013 01:18 PM, Matthew Miller wrote:
 container/container-medium-19.ks  |3 +++ 
 container/container-medium-20.ks  |3 +++ 
 container/container-minimal-19.ks |2 ++ 
 container/container-minimal-20.ks |2 ++ 4 files changed, 10
 insertions(+)
 
 New commits: commit 813cd55875feaff0e3273fb2b53dc2ed51bdf62a Author:
 Matthew Miller mat...@mattdm.org Date:   Thu Sep 19 12:17:48 2013 -0500
 
 remove /boot contents (created by appliance-creator, not needed)
 
 diff --git a/container/container-medium-19.ks
 b/container/container-medium-19.ks index 2a311fb..2826c43 100644 ---
 a/container/container-medium-19.ks +++ b/container/container-medium-19.ks 
 @@ -119,6 +119,9 @@ rm -rf /var/lib/yum/history/* yum history new || yum
 history new truncate -c -s 0 /var/log/yum.log
 
 +echo Removing boot, since we don't need that. +rm -rf /boot/* + echo
 Fixing SELinux contexts. /usr/sbin/fixfiles -R -a restore
 
 diff --git a/container/container-medium-20.ks
 b/container/container-medium-20.ks index 5cec913..4c9b2f5 100644 ---
 a/container/container-medium-20.ks +++ b/container/container-medium-20.ks 
 @@ -119,6 +119,9 @@ rm -rf /var/lib/yum/history/* yum history new || yum
 history new truncate -c -s 0 /var/log/yum.log
 
 +echo Removing boot, since we don't need that. +rm -rf /boot/* + echo
 Fixing SELinux contexts. /usr/sbin/fixfiles -R -a restore
 
 diff --git a/container/container-minimal-19.ks
 b/container/container-minimal-19.ks index 2548b44..cf0d311 100644 ---
 a/container/container-minimal-19.ks +++
 b/container/container-minimal-19.ks @@ -110,6 +110,8 @@ yum -C -y remove
 passwd --setopt=clean_requirements_on_remove=1 yum -C -y remove findutils
 --setopt=clean_requirements_on_remove=1 yum -C -y remove firewalld
 --setopt=clean_requirements_on_remove=1
 
 +echo Removing boot, since we don't need that. +rm -rf /boot/*
 
 echo Cleaning old yum repodata. yum clean all diff --git
 a/container/container-minimal-20.ks b/container/container-minimal-20.ks 
 index b6df5b4..653cefb 100644 --- a/container/container-minimal-20.ks +++
 b/container/container-minimal-20.ks @@ -110,6 +110,8 @@ yum -C -y remove
 passwd --setopt=clean_requirements_on_remove=1 yum -C -y remove findutils
 --setopt=clean_requirements_on_remove=1 yum -C -y remove firewalld
 --setopt=clean_requirements_on_remove=1
 
 +echo Removing boot, since we don't need that. +rm -rf /boot/*
 
 echo Cleaning old yum repodata. yum clean all
 
 
 ___ cloud mailing list 
 cloud@lists.fedoraproject.org 
 https://admin.fedoraproject.org/mailman/listinfo/cloud Fedora Code of
 Conduct: http://fedoraproject.org/code-of-conduct
 
In a container image, you do not need to install selinux-policy*, since
selinux policy is not supported within the container.  From the containers
point of view
SELinux is disabled.

Because of this you can probably also eliminate policycoreutils, although
other packages might suck it back in.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlI7PjkACgkQrlYvE4MpobOS2gCfW3OOnCi3KkrRhId9joZ58kGE
oT8AnjIgKnxMBFnGem3vO/yBdq1DWA2B
=sLxT
-END PGP SIGNATURE-
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks

2013-09-19 Thread Matthew Miller

On Thu, Sep 19, 2013 at 02:11:05PM -0400, Daniel J Walsh wrote:
 In a container image, you do not need to install selinux-policy*, since
 selinux policy is not supported within the container.  From the containers
 point of view
 SELinux is disabled.
 Because of this you can probably also eliminate policycoreutils, although
 other packages might suck it back in.

Yeah, the medium container is kind of a work-in-progress on this front. I
thought I put selinux-policy on the minus list of packages -- I'll take a
look at what's pulling it in. 

I'm really interested in your thoughts on how selinux might work in this
brave new world. :)

-- 
Matthew Miller  ☁☁☁  Fedora Cloud Architect  ☁☁☁  mat...@fedoraproject.org
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks

2013-09-19 Thread Daniel J Walsh

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/19/2013 03:10 PM, Matthew Miller wrote:
 On Thu, Sep 19, 2013 at 02:11:05PM -0400, Daniel J Walsh wrote:
 In a container image, you do not need to install selinux-policy*, since 
 selinux policy is not supported within the container.  From the
 containers point of view SELinux is disabled. Because of this you can
 probably also eliminate policycoreutils, although other packages might
 suck it back in.
 
 Yeah, the medium container is kind of a work-in-progress on this front.
 I thought I put selinux-policy on the minus list of packages -- I'll take
 a look at what's pulling it in.
 
 I'm really interested in your thoughts on how selinux might work in this 
 brave new world. :)
 
Well in its simplest form it would be used to stop one container from messing
with another container using MCS Separation.  virt-sandbox does this now, as
well as openshift and SELinux sandbox tool. Basically you run all processes
within the container with a single type container_t.  And all the writable
content is container_file_t.  Then you use a unigue MCS label for each
container and its content.  container_t:mcs1, can not touch container_t:mcs2.

We can also define constraints outside the container like, what ports the
container is allowed to use, or what capabilities are available. Whether it
can mount, mknod ...

We can also do transitions within the container.  For example the container
runs as container_setup_t and then executes myapp_exec_t it will transition to
container_t.  But the whole time nothing within the container knows about 
SELinux.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlI7NagACgkQrlYvE4MpobOieQCgzzbyouPbbb/JIuI5F/xepwRN
LCkAoKnKCSAEruAI/eNsWwH1h3w552MA
=R1KK
-END PGP SIGNATURE-
___
cloud mailing list
cloud@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/cloud
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct

Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks

Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks

Re: container/container-medium-19.ks container/container-medium-20.ks container/container-minimal-19.ks container/container-minimal-20.ks

3 matches

Site Navigation

Mail list logo

Footer information