Merge branch 'ewindisch-secopt'

Author: shin-

docker/client.py

@@ -869,7 +869,8 @@ def start(self, container, binds=None, port_bindings=None, lxc_conf=None,
               publish_all_ports=False, links=None, privileged=False,
               dns=None, dns_search=None, volumes_from=None, network_mode=None,
               restart_policy=None, cap_add=None, cap_drop=None, devices=None,
-              extra_hosts=None, read_only=None, pid_mode=None):
+              extra_hosts=None, read_only=None, pid_mode=None,
+              security_opt=None):
 
         if utils.compare_version('1.10', self._version) < 0:
             if dns is not None:
@@ -881,6 +882,12 @@ def start(self, container, binds=None, port_bindings=None, lxc_conf=None,
                     'volumes_from is only supported for API version >= 1.10'
                 )
 
+        if utils.compare_version('1.15', self._version) < 0:
+            if security_opt is not None:
+                raise errors.InvalidVersion(
+                    'security_opt is only supported for API version >= 1.15'
+                )
+
         if utils.compare_version('1.17', self._version) < 0:
             if read_only is not None:
                 raise errors.InvalidVersion(
@@ -897,7 +904,8 @@ def start(self, container, binds=None, port_bindings=None, lxc_conf=None,
             privileged=privileged, dns_search=dns_search, cap_add=cap_add,
             cap_drop=cap_drop, volumes_from=volumes_from, devices=devices,
             network_mode=network_mode, restart_policy=restart_policy,
-            extra_hosts=extra_hosts, read_only=read_only, pid_mode=pid_mode
+            extra_hosts=extra_hosts, read_only=read_only, pid_mode=pid_mode,
+            security_opt=security_opt
         )
 
         if isinstance(container, dict):

docker/utils/utils.py

@@ -353,7 +353,7 @@ def create_host_config(
     publish_all_ports=False, links=None, privileged=False,
     dns=None, dns_search=None, volumes_from=None, network_mode=None,
     restart_policy=None, cap_add=None, cap_drop=None, devices=None,
-    extra_hosts=None, read_only=None, pid_mode=None
+    extra_hosts=None, read_only=None, pid_mode=None, security_opt=None
 ):
     host_config = {}
 
@@ -394,6 +394,14 @@ def create_host_config(
     if dns is not None:
         host_config['Dns'] = dns
 
+    if security_opt is not None:
+        if not isinstance(security_opt, list):
+            raise errors.DockerException(
+                'Invalid type for security_opt param: expected list but found'
+                ' {0}'.format(type(security_opt))
+            )
+        host_config['SecurityOpt'] = security_opt
+
     if volumes_from is not None:
         if isinstance(volumes_from, six.string_types):
             volumes_from = volumes_from.split(',')
@@ -542,5 +550,5 @@ def create_container_config(
         'MemorySwap': memswap_limit,
         'HostConfig': host_config,
         'MacAddress': mac_address,
-        'Labels': labels
+        'Labels': labels,
     }

docs/api.md

@@ -700,6 +700,7 @@ from. Optionally a single string joining container id's with commas
 * extra_hosts (dict): custom host-to-IP mappings (host:ip)
 * pid_mode (str): if set to "host", use the host PID namespace inside the
   container
+* security_opt (list): A list of string values to customize labels for MLS systems, such as SELinux.
 
 ```python
 >>> from docker import Client

tests/test.py

@@ -2270,6 +2270,19 @@ def test_tar_with_directory_symlinks(self):
             tar = tarfile.open(fileobj=archive)
             self.assertEqual(sorted(tar.getnames()), ['bar', 'bar/foo', 'foo'])
 
+    #######################
+    #  HOST CONFIG TESTS  #
+    #######################
+
+    def test_create_host_config_secopt(self):
+        security_opt = ['apparmor:test_profile']
+        result = create_host_config(security_opt=security_opt)
+        self.assertIn('SecurityOpt', result)
+        self.assertEqual(result['SecurityOpt'], security_opt)
+
+        with self.assertRaises(docker.errors.DockerException):
+            create_host_config(security_opt='wrong')
+
 
 class StreamTest(Cleanup, unittest.TestCase):