c.s.d.c.m.HostConfig.Bind.Builder: add support for automatic SELinux …

…labeling
vladbusov · Jan 13, 2018 · 40da95a · 40da95a
1 parent f779611
commit 40da95a
Show file tree

Hide file tree

Showing 2 changed files with 76 additions and 0 deletions.
diff --git a/src/main/java/com/spotify/docker/client/messages/HostConfig.java b/src/main/java/com/spotify/docker/client/messages/HostConfig.java
@@ -681,6 +681,9 @@ public static BuilderFrom from(final Volume volumeFrom) {
     @Nullable
     public abstract Boolean noCopy();
 
+    @Nullable
+    public abstract Boolean selinuxLabeling();
+
     public static Builder builder() {
       return new AutoValue_HostConfig_Bind.Builder().readOnly(false);
     }
@@ -704,6 +707,15 @@ public String toString() {
         options.add("nocopy");
       }
 
+      if (selinuxLabeling() != null) {
+        // shared
+        if (Boolean.TRUE.equals(selinuxLabeling())) {
+          options.add("z");
+        } else {
+          options.add("Z");
+        }
+      }
+
       final String optionsValue = Joiner.on(',').join(options);
 
       return (optionsValue.isEmpty()) ? bind : bind + ":" + optionsValue;
@@ -762,6 +774,15 @@ public Builder from(final Volume volumeFrom) {
 
       public abstract Builder noCopy(Boolean noCopy);
 
+      /**
+       * Turn on automatic SELinux labeling of the host file or directory being
+       * mounted into the container.
+       * @param sharedContent True if this bind mount content is shared among multiple 
+       *     containers (mount option "z"); false if private and unshared (mount option "Z")
+       * @return {@link Builder}
+       */
+      public abstract Builder selinuxLabeling(Boolean sharedContent);
+
       public abstract Bind build();
     }
   }

diff --git a/src/test/java/com/spotify/docker/client/DefaultDockerClientUnitTest.java b/src/test/java/com/spotify/docker/client/DefaultDockerClientUnitTest.java
@@ -21,9 +21,12 @@
 package com.spotify.docker.client;
 
 import static com.spotify.docker.FixtureUtil.fixture;
+import static org.hamcrest.Matchers.allOf;
 import static org.hamcrest.Matchers.contains;
 import static org.hamcrest.Matchers.containsInAnyOrder;
+import static org.hamcrest.Matchers.containsString;
 import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.hasItem;
 import static org.hamcrest.Matchers.hasKey;
 import static org.hamcrest.Matchers.hasSize;
 import static org.hamcrest.Matchers.is;
@@ -53,6 +56,7 @@
 import com.spotify.docker.client.exceptions.NotFoundException;
 import com.spotify.docker.client.messages.ContainerConfig;
 import com.spotify.docker.client.messages.HostConfig;
+import com.spotify.docker.client.messages.HostConfig.Bind;
 import com.spotify.docker.client.messages.RegistryAuth;
 import com.spotify.docker.client.messages.RegistryConfigs;
 import com.spotify.docker.client.messages.ServiceCreateResponse;
@@ -956,7 +960,58 @@ public void testListNodesWithServerError() throws Exception {
 
     dockerClient.listNodes();
   }
+
+  @Test
+  public void testBindBuilderSelinuxLabeling() throws Exception {
+    final DefaultDockerClient dockerClient = new DefaultDockerClient(builder);
+
+    final Bind bindNoSelinuxLabel = HostConfig.Bind.builder()
+        .from("noselinux")
+        .to("noselinux")
+        .build();
+
+    final Bind bindSharedSelinuxContent = HostConfig.Bind.builder()
+        .from("shared")
+        .to("shared")
+        .selinuxLabeling(true)
+        .build();
+
+    final Bind bindPrivateSelinuxContent = HostConfig.Bind.builder()
+        .from("private")
+        .to("private")
+        .selinuxLabeling(false)
+        .build();
+
+    final HostConfig hostConfig = HostConfig.builder()
+        .binds(bindNoSelinuxLabel, bindSharedSelinuxContent, bindPrivateSelinuxContent)
+        .build();
+
+    final ContainerConfig containerConfig = ContainerConfig.builder()
+        .hostConfig(hostConfig)
+        .build();
+
+    server.enqueue(new MockResponse());
+
+    dockerClient.createContainer(containerConfig);
+
+    final RecordedRequest recordedRequest = takeRequestImmediately();
 
+    final JsonNode requestJson = toJson(recordedRequest.getBody());
+
+    final JsonNode binds = requestJson.get("HostConfig").get("Binds");
+
+    assertThat(binds.isArray(), is(true));
+
+    Set<String> bindSet = childrenTextNodes((ArrayNode) binds);
+    assertThat(bindSet, hasSize(3));
+
+    assertThat(bindSet, hasItem(allOf(containsString("noselinux"),
+        not(containsString("z")), not(containsString("Z")))));
+
+    assertThat(bindSet, hasItem(allOf(containsString("shared"), containsString("z"))));
+    assertThat(bindSet, hasItem(allOf(containsString("private"), containsString("Z"))));
+  }
+
   private void enqueueServerApiResponse(final int statusCode, final String fileName)
       throws IOException {
     server.enqueue(new MockResponse()