Luc lucj

## sestatus
[root@node ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

## se-example
# Run confined container
[root@node ~]# docker run -it ubuntu /bin/bash
standard_init_linux.go:175: exec user process caused "permission denied"

# Run unconfined container
[root@node ~]# docker run -it --security-opt label:disable ubuntu /bin/bash
root@f76b8d4fa87e:/#

## post-selinux-docker-deamon-options
[root@node /root]$ cat /usr/lib/systemd/system/docker.service
[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network.target

[Service]
Type=notify
# the default is not to use systemd for cgroups because the delegate issues still
# exists and systemd currently does not support the cgroup feature set required

## post-selinux-docker-deamon-domain
[root@node ~]$ ps auxZ | egrep 'dockerd|containerd|runc'
system_u:system_r:docker_t:s0   root      7697  0.0  3.5 740448 36520 ?        Ssl  Aug30   0:27 /usr/bin/dockerd --selinux-enabled
system_u:system_r:docker_t:s0   root      7700  0.0  1.0 300076 10604 ?        Ssl  Aug30   0:01 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc

## hybrid.sh
pi@manager1:~ $ docker service create --name web --replicas 6 nginx
5vqndf0trjqyeeypcjkwkd11p

pi@manager1:~ $ docker service ls
ID            NAME  REPLICAS  IMAGE  COMMAND
5vqndf0trjqy  web   4/6       nginx

pi@manager1:~ $ docker service ps web
ID                         NAME       IMAGE  NODE      DESIRED STATE  CURRENT STATE            ERROR
37jnqld47mqe2nu0sdi8b1sq0  web.1      nginx  manager1  Running        Ready 19 seconds ago

## hybrid-2.sh
pi@manager1:~ $ docker service create --name hello --replicas 6 alexellis2/arm-hellonode
361tdrtrbsz1tpxaubx2covdd

pi@manager1:~ $ docker service ls
ID            NAME   REPLICAS  IMAGE                     COMMAND
361tdrtrbsz1  hello  2/6       alexellis2/arm-hellonode

pi@manager1:~ $ docker service ps hello
ID                         NAME         IMAGE                     NODE      DESIRED STATE  CURRENT STATE           ERROR
e9pmjti64omvzuncp8yflr4cf  hello.1      alexellis2/arm-hellonode  worker1   Ready          Ready 10 seconds ago

## nodes.sh
pi@manager1:~ $ docker node ls
ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
2dv6cokhpag6z3pb0ejsezkvj worker2 Ready Active
aq7cy9pijja19v77cv2ppjb8l * manager1 Ready Active Leader
bsjhpjjunxxtksdz84ch798zb worker1 Ready Active

## hybrid-3.sh
pi@manager1:~ $ docker node update --label-add arc=arm manager1
manager1
pi@manager1:~ $ docker node update --label-add arc=x64 worker1
worker1
pi@manager1:~ $ docker node update --label-add arc=x64 worker2
worker2

pi@manager1:~ $ docker node inspect -f '{{.Spec.Labels}}' manager1
map[arc:arm]
pi@manager1:~ $ docker node inspect -f '{{.Spec.Labels}}' worker1

## hybrid-4.sh
pi@manager1:~ $ docker service create --name web --replicas 6 --constraint 'node.labels.arc == x64' nginx
e0bzdnji3te4ha8l7wx33ig6x

pi@manager1:~ $ docker service ls
ID            NAME  REPLICAS  IMAGE  COMMAND
e0bzdnji3te4  web   6/6       nginx

pi@manager1:~ $ docker service ps web
ID                         NAME   IMAGE  NODE     DESIRED STATE  CURRENT STATE           ERROR
2sqozr8z9i494pyzjpyg0ioue  web.1  nginx  worker1  Running        Running 18 seconds ago

## hybrid-5.sh
pi@manager1:~ $ docker service create --name hello --replicas 6 --constraint 'node.labels.arc == arm' alexellis2/arm-hellonode
20fqregbfqzc3fv5spfdhxtry

pi@manager1:~ $ docker service ls
ID            NAME   REPLICAS  IMAGE                     COMMAND
20fqregbfqzc  hello  6/6       alexellis2/arm-hellonode

pi@manager1:~ $ docker service ps hello
ID                         NAME     IMAGE                     NODE      DESIRED STATE  CURRENT STATE          ERROR
adejiyp6rg58paxl36rowfpyb  hello.1  alexellis2/arm-hellonode  manager1  Running        Running 2 minutes ago
	[root@node ~]# sestatus
	SELinux status: enabled
	SELinuxfs mount: /sys/fs/selinux
	SELinux root directory: /etc/selinux
	Loaded policy name: targeted
	Current mode: enforcing
	Mode from config file: enforcing
	Policy MLS status: enabled
	Policy deny_unknown status: allowed
	Max kernel policy version: 28
	# Run confined container
	[root@node ~]# docker run -it ubuntu /bin/bash
	standard_init_linux.go:175: exec user process caused "permission denied"

	# Run unconfined container
	[root@node ~]# docker run -it --security-opt label:disable ubuntu /bin/bash
	root@f76b8d4fa87e:/#
	[root@node /root]$ cat /usr/lib/systemd/system/docker.service
	[Unit]
	Description=Docker Application Container Engine
	Documentation=https://docs.docker.com
	After=network.target

	[Service]
	Type=notify
	# the default is not to use systemd for cgroups because the delegate issues still
	# exists and systemd currently does not support the cgroup feature set required
	[root@node ~]$ ps auxZ \| egrep 'dockerd\|containerd\|runc'
	system_u:system_r:docker_t:s0 root 7697 0.0 3.5 740448 36520 ? Ssl Aug30 0:27 /usr/bin/dockerd --selinux-enabled
	system_u:system_r:docker_t:s0 root 7700 0.0 1.0 300076 10604 ? Ssl Aug30 0:01 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --shim docker-containerd-shim --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --runtime docker-runc
	pi@manager1:~ $ docker service create --name web --replicas 6 nginx
	5vqndf0trjqyeeypcjkwkd11p

	pi@manager1:~ $ docker service ls
	ID NAME REPLICAS IMAGE COMMAND
	5vqndf0trjqy web 4/6 nginx

	pi@manager1:~ $ docker service ps web
	ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR
	37jnqld47mqe2nu0sdi8b1sq0 web.1 nginx manager1 Running Ready 19 seconds ago
	pi@manager1:~ $ docker service create --name hello --replicas 6 alexellis2/arm-hellonode
	361tdrtrbsz1tpxaubx2covdd

	pi@manager1:~ $ docker service ls
	ID NAME REPLICAS IMAGE COMMAND
	361tdrtrbsz1 hello 2/6 alexellis2/arm-hellonode

	pi@manager1:~ $ docker service ps hello
	ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR
	e9pmjti64omvzuncp8yflr4cf hello.1 alexellis2/arm-hellonode worker1 Ready Ready 10 seconds ago
	pi@manager1:~ $ docker node ls
	ID HOSTNAME STATUS AVAILABILITY MANAGER STATUS
	2dv6cokhpag6z3pb0ejsezkvj worker2 Ready Active
	aq7cy9pijja19v77cv2ppjb8l * manager1 Ready Active Leader
	bsjhpjjunxxtksdz84ch798zb worker1 Ready Active
	pi@manager1:~ $ docker node update --label-add arc=arm manager1
	manager1
	pi@manager1:~ $ docker node update --label-add arc=x64 worker1
	worker1
	pi@manager1:~ $ docker node update --label-add arc=x64 worker2
	worker2

	pi@manager1:~ $ docker node inspect -f '{{.Spec.Labels}}' manager1
	map[arc:arm]
	pi@manager1:~ $ docker node inspect -f '{{.Spec.Labels}}' worker1
	pi@manager1:~ $ docker service create --name web --replicas 6 --constraint 'node.labels.arc == x64' nginx
	e0bzdnji3te4ha8l7wx33ig6x

	pi@manager1:~ $ docker service ls
	ID NAME REPLICAS IMAGE COMMAND
	e0bzdnji3te4 web 6/6 nginx

	pi@manager1:~ $ docker service ps web
	ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR
	2sqozr8z9i494pyzjpyg0ioue web.1 nginx worker1 Running Running 18 seconds ago
	pi@manager1:~ $ docker service create --name hello --replicas 6 --constraint 'node.labels.arc == arm' alexellis2/arm-hellonode
	20fqregbfqzc3fv5spfdhxtry

	pi@manager1:~ $ docker service ls
	ID NAME REPLICAS IMAGE COMMAND
	20fqregbfqzc hello 6/6 alexellis2/arm-hellonode

	pi@manager1:~ $ docker service ps hello
	ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR
	adejiyp6rg58paxl36rowfpyb hello.1 alexellis2/arm-hellonode manager1 Running Running 2 minutes ago